[Pkg-xen-devel] Bug#1053177: bullseye-pu: package xen/4.14.6-1
Hans van Kranenburg
hans at knorrie.org
Thu Sep 28 17:27:43 BST 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: xen at packages.debian.org, hans at knorrie.org,
team at security.debian.org
[ Reason ]
Xen 4.14 support (and security support) has ended upstream. The upstream
stable branch for version 4.14 is frozen now, and a final maintenance
release version 4.14.6 has been released. We'd like to put this final
update into Bullseye, to properly finish the Xen work for Bullseye.
Also, a few security fixes (regarding CVE-2023-20593 CVE-2023-20569
CVE-2022-40982) are included.
https://xenbits.xen.org/docs/4.14-testing/SUPPORT.html#release-support
[ Impact ]
The above mentioned CVEs are not fixed.
[ Tests ]
The Debian package is based on upstream commits that have passed
the upstream automated tests.
The Debian package has been successfully tested by the xen packaging
team on their test machines.
[ Risks ]
There could be upstream changes unrelated to the above mentioned
security fixes that cause regressions. However upstream has an automated
testing machinery (osstest) that only allows a commit in the upstream
stable branch if all tests pass.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable (-> src:xen 4.17.2-1)
[ Changes ]
* Advance the upstream source code to the latest available commit in the
upstream stable Xen 4.14 branch line.
* No packaging changes or changes to the patch queue were made.
* Document changes and mention security issues in the changelog in the
usual format.
[ Other info ]
This update, like previous Xen 4.14 updates for Bullseye, is based on
the upstream stable-4.14 branch.
The branch in general only accepts bug fixes and does not allow new
features, so the changes there are mainly security fixes, important bug
fixes and fixes related to hardware errata or hardware support.
The package we have prepared is exactly what we would have done as a
security update in a stable release, what we have historically done
together with the security team and are planning to continue to do.
As upstream does extensive automated testing on their stable branches
chances for unnoticed regressions are low. We believe that by following
the upstream stable release branch line the risk for regressions is
lower than trying to manually pick and adjust (security) patches
without all the deep knowledge that upstream has. This approach is
similar to what the Linux kernel team is doing.
And, for the Debian Xen team 'morale' it is a good thing to be able to
properly finish, wrap up and close off the work for a specific version,
instead of leaving open ends.
We'll also take care of submitting a request for the
debian-security-support package to list Xen in bullseye as no longer
security supported, similarly to what was done for Xen 4.11 in Buster:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993168
Thanks,
Hans van Kranenburg (Knorrie)
-------------- next part --------------
diff -Nru xen-4.14.5+94-ge49571868d/automation/build/centos/7.2.dockerfile xen-4.14.6/automation/build/centos/7.2.dockerfile
--- xen-4.14.5+94-ge49571868d/automation/build/centos/7.2.dockerfile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/build/centos/7.2.dockerfile 1970-01-01 01:00:00.000000000 +0100
@@ -1,50 +0,0 @@
-FROM centos:7.2.1511
-LABEL maintainer.name="The Xen Project" \
- maintainer.email="xen-devel at lists.xenproject.org"
-
-# ensure we only get bits from the vault for
-# the version we want
-COPY CentOS-7.2.repo /etc/yum.repos.d/CentOS-Base.repo
-
-# install EPEL for dev86, xz-devel and possibly other packages
-RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
- yum clean all
-
-RUN mkdir /build
-WORKDIR /build
-
-# work around https://github.com/moby/moby/issues/10180
-# and install Xen depends
-RUN rpm --rebuilddb && \
- yum -y install \
- yum-plugin-ovl \
- gcc \
- gcc-c++ \
- ncurses-devel \
- zlib-devel \
- openssl-devel \
- python-devel \
- libuuid-devel \
- pkgconfig \
- gettext \
- flex \
- bison \
- libaio-devel \
- glib2-devel \
- yajl-devel \
- pixman-devel \
- glibc-devel \
- glibc-devel.i686 \
- make \
- binutils \
- git \
- wget \
- acpica-tools \
- python-markdown \
- patch \
- checkpolicy \
- dev86 \
- xz-devel \
- bzip2 \
- nasm \
- && yum clean all
diff -Nru xen-4.14.5+94-ge49571868d/automation/build/centos/CentOS-7.2.repo xen-4.14.6/automation/build/centos/CentOS-7.2.repo
--- xen-4.14.5+94-ge49571868d/automation/build/centos/CentOS-7.2.repo 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/build/centos/CentOS-7.2.repo 1970-01-01 01:00:00.000000000 +0100
@@ -1,35 +0,0 @@
-# CentOS-Base.repo
-#
-# This is a replacement file that pins things to just use CentOS 7.2
-# from the CentOS Vault.
-#
-
-[base]
-name=CentOS-7.2.1511 - Base
-baseurl=http://vault.centos.org/7.2.1511/os/$basearch/
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
-#released updates
-[updates]
-name=CentOS-7.2.1511 - Updates
-baseurl=http://vault.centos.org/7.2.1511/updates/$basearch/
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
-#additional packages that may be useful
-[extras]
-name=CentOS-7.2.1511 - Extras
-baseurl=http://vault.centos.org/7.2.1511/extras/$basearch/
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
-#additional packages that extend functionality of existing packages
-[centosplus]
-name=CentOS-7.2.1511 - Plus
-baseurl=http://vault.centos.org/7.2.1511/centosplus/$basearch/
-gpgcheck=1
-gpgcheck=1
-enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
-
diff -Nru xen-4.14.5+94-ge49571868d/automation/build/debian/stretch.dockerfile xen-4.14.6/automation/build/debian/stretch.dockerfile
--- xen-4.14.5+94-ge49571868d/automation/build/debian/stretch.dockerfile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/build/debian/stretch.dockerfile 2023-08-07 14:11:14.000000000 +0200
@@ -49,15 +49,3 @@
apt-get autoremove -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
-
-RUN wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-COPY stretch-llvm-8.list /etc/apt/sources.list.d/
-
-RUN apt-get update && \
- apt-get --quiet --yes install \
- clang-8 \
- lld-8 \
- && \
- apt-get autoremove -y && \
- apt-get clean && \
- rm -rf /var/lib/apt/lists* /tmp/* /var/tmp/*
diff -Nru xen-4.14.5+94-ge49571868d/automation/build/debian/stretch-llvm-8.list xen-4.14.6/automation/build/debian/stretch-llvm-8.list
--- xen-4.14.5+94-ge49571868d/automation/build/debian/stretch-llvm-8.list 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/build/debian/stretch-llvm-8.list 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# Strech LLVM 8 repos
-deb http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
-deb-src http://apt.llvm.org/stretch/ llvm-toolchain-stretch-8 main
diff -Nru xen-4.14.5+94-ge49571868d/automation/configs/x86/hvm_only_config xen-4.14.6/automation/configs/x86/hvm_only_config
--- xen-4.14.5+94-ge49571868d/automation/configs/x86/hvm_only_config 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/configs/x86/hvm_only_config 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-CONFIG_HVM=y
-# CONFIG_PV is not set
-# CONFIG_DEBUG is not set
diff -Nru xen-4.14.5+94-ge49571868d/automation/configs/x86/no_hvm_pv_config xen-4.14.6/automation/configs/x86/no_hvm_pv_config
--- xen-4.14.5+94-ge49571868d/automation/configs/x86/no_hvm_pv_config 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/configs/x86/no_hvm_pv_config 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# CONFIG_HVM is not set
-# CONFIG_PV is not set
-# CONFIG_DEBUG is not set
diff -Nru xen-4.14.5+94-ge49571868d/automation/configs/x86/pv_only_config xen-4.14.6/automation/configs/x86/pv_only_config
--- xen-4.14.5+94-ge49571868d/automation/configs/x86/pv_only_config 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/configs/x86/pv_only_config 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-CONFIG_PV=y
-# CONFIG_HVM is not set
-# CONFIG_DEBUG is not set
diff -Nru xen-4.14.5+94-ge49571868d/automation/gitlab-ci/build.yaml xen-4.14.6/automation/gitlab-ci/build.yaml
--- xen-4.14.5+94-ge49571868d/automation/gitlab-ci/build.yaml 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/gitlab-ci/build.yaml 2023-08-07 14:11:14.000000000 +0200
@@ -26,13 +26,6 @@
CXX: clang++
clang: y
-.clang-8-tmpl:
- variables: &clang-8
- CC: clang-8
- CXX: clang++-8
- LD: ld.lld-8
- clang: y
-
.x86-64-build-tmpl:
<<: *build
variables:
@@ -97,16 +90,6 @@
variables:
<<: *clang
-.clang-8-x86-64-build:
- extends: .x86-64-build
- variables:
- <<: *clang-8
-
-.clang-8-x86-64-build-debug:
- extends: .x86-64-build-debug
- variables:
- <<: *clang-8
-
.clang-x86-32-build:
extends: .x86-32-build
variables:
@@ -156,16 +139,6 @@
variables:
CONTAINER: archlinux:current
-centos-7-2-gcc:
- extends: .gcc-x86-64-build
- variables:
- CONTAINER: centos:7.2
-
-centos-7-2-gcc-debug:
- extends: .gcc-x86-64-build-debug
- variables:
- CONTAINER: centos:7.2
-
centos-7-gcc:
extends: .gcc-x86-64-build
variables:
@@ -236,16 +209,6 @@
variables:
CONTAINER: debian:stretch
-debian-stretch-clang-8:
- extends: .clang-8-x86-64-build
- variables:
- CONTAINER: debian:stretch
-
-debian-stretch-clang-8-debug:
- extends: .clang-8-x86-64-build-debug
- variables:
- CONTAINER: debian:stretch
-
debian-stretch-gcc:
extends: .gcc-x86-64-build
variables:
@@ -256,21 +219,11 @@
variables:
CONTAINER: debian:stretch
-debian-stretch-32-clang:
- extends: .clang-x86-32-build
- variables:
- CONTAINER: debian:stretch-i386
-
debian-stretch-32-clang-debug:
extends: .clang-x86-32-build-debug
variables:
CONTAINER: debian:stretch-i386
-debian-stretch-32-gcc:
- extends: .gcc-x86-32-build
- variables:
- CONTAINER: debian:stretch-i386
-
debian-stretch-32-gcc-debug:
extends: .gcc-x86-32-build-debug
variables:
@@ -308,21 +261,11 @@
CONTAINER: debian:unstable
RANDCONFIG: y
-debian-unstable-32-clang:
- extends: .clang-x86-32-build
- variables:
- CONTAINER: debian:unstable-i386
-
debian-unstable-32-clang-debug:
extends: .clang-x86-32-build-debug
variables:
CONTAINER: debian:unstable-i386
-debian-unstable-32-gcc:
- extends: .gcc-x86-32-build
- variables:
- CONTAINER: debian:unstable-i386
-
debian-unstable-32-gcc-debug:
extends: .gcc-x86-32-build-debug
variables:
diff -Nru xen-4.14.5+94-ge49571868d/automation/scripts/build xen-4.14.6/automation/scripts/build
--- xen-4.14.5+94-ge49571868d/automation/scripts/build 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/scripts/build 2023-08-07 14:11:14.000000000 +0200
@@ -48,18 +48,3 @@
if [[ "${XEN_TARGET_ARCH}" == "x86_64" ]]; then
cp xen/xen binaries/xen
fi
-
-# Build all the configs we care about
-case ${XEN_TARGET_ARCH} in
- x86_64) arch=x86 ;;
- *) exit 0 ;;
-esac
-
-cfg_dir="automation/configs/${arch}"
-for cfg in `ls ${cfg_dir}`; do
- echo "Building $cfg"
- make -j$(nproc) -C xen clean
- rm -f xen/.config
- make -C xen KBUILD_DEFCONFIG=../../../../${cfg_dir}/${cfg} XEN_CONFIG_EXPERT=y defconfig
- make -j$(nproc) -C xen XEN_CONFIG_EXPERT=y
-done
diff -Nru xen-4.14.5+94-ge49571868d/automation/scripts/qemu-smoke-x86-64.sh xen-4.14.6/automation/scripts/qemu-smoke-x86-64.sh
--- xen-4.14.5+94-ge49571868d/automation/scripts/qemu-smoke-x86-64.sh 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/automation/scripts/qemu-smoke-x86-64.sh 2023-08-07 14:11:14.000000000 +0200
@@ -5,11 +5,6 @@
# variant should be either pv or pvh
variant=$1
-# Install QEMU
-export DEBIAN_FRONTENT=noninteractive
-apt-get -qy update
-apt-get -qy install qemu-system-x86
-
# Clone and build XTF
git clone https://xenbits.xen.org/git-http/xtf.git
cd xtf && make -j$(nproc) && cd -
diff -Nru xen-4.14.5+94-ge49571868d/Config.mk xen-4.14.6/Config.mk
--- xen-4.14.5+94-ge49571868d/Config.mk 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/Config.mk 2023-08-07 14:11:14.000000000 +0200
@@ -247,7 +247,7 @@
QEMU_UPSTREAM_REVISION ?= qemu-xen-4.14.5
MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.14.5
-SEABIOS_UPSTREAM_REVISION ?= rel-1.13.0
+SEABIOS_UPSTREAM_REVISION ?= rel-1.16.0
ETHERBOOT_NICS ?= rtl8139 8086100e
diff -Nru xen-4.14.5+94-ge49571868d/debian/changelog xen-4.14.6/debian/changelog
--- xen-4.14.5+94-ge49571868d/debian/changelog 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/changelog 2023-09-21 16:55:59.000000000 +0200
@@ -1,3 +1,22 @@
+xen (4.14.6-1) bullseye; urgency=medium
+
+ * Update to new upstream version 4.14.6, which also contains
+ security fixes for the following issues:
+ - x86/AMD: Zenbleed
+ XSA-433 CVE-2023-20593
+ - x86/AMD: Speculative Return Stack Overflow
+ XSA-434 CVE-2023-20569
+ - x86/Intel: Gather Data Sampling
+ XSA-435 CVE-2022-40982
+ * Note that the following XSA are not listed, because...
+ - XSA-430 and XSA-431 only apply to Xen 4.17
+ - XSA-432 has patches for the Linux kernel.
+ * Also, note that upstream security support for Xen 4.14 has ended with this
+ release. This also means that Xen security support for Debian Bullseye has
+ ended.
+
+ -- Hans van Kranenburg <hans at knorrie.org> Thu, 21 Sep 2023 16:55:59 +0200
+
xen (4.14.5+94-ge49571868d-1) bullseye-security; urgency=medium
* Update to new upstream version 4.14.5+94-ge49571868d, which also contains
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0002-Delete-configure-output.patch xen-4.14.6/debian/patches/0002-Delete-configure-output.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0002-Delete-configure-output.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0002-Delete-configure-output.patch 2023-09-21 16:55:59.000000000 +0200
@@ -12,8 +12,8 @@
---
configure | 3618 -----------------
docs/configure | 3427 -----------------
- tools/configure | 11329 ------------------------------------------------------
- 3 files changed, 18374 deletions(-)
+ tools/configure | 11280 ------------------------------------------------------
+ 3 files changed, 18325 deletions(-)
delete mode 100755 configure
delete mode 100755 docs/configure
delete mode 100755 tools/configure
@@ -7077,10 +7077,10 @@
-
diff --git a/tools/configure b/tools/configure
deleted file mode 100755
-index f3f19c1..0000000
+index cf937c9..0000000
--- a/tools/configure
+++ /dev/null
-@@ -1,11329 +0,0 @@
+@@ -1,11280 +0,0 @@
-#! /bin/sh
-# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Xen Hypervisor Tools 4.14.
@@ -7768,7 +7768,6 @@
-SET_MAKE
-AWK
-IASL
--XGETTEXT
-BASH
-FLEX
-BISON
@@ -7927,7 +7926,6 @@
-BISON
-FLEX
-BASH
--XGETTEXT
-AS86
-LD86
-BCC
@@ -8673,7 +8671,6 @@
- BISON Path to Bison parser generator
- FLEX Path to Flex lexical analyser generator
- BASH Path to bash shell
-- XGETTEXT Path to xgetttext tool
- AS86 Path to as86 tool
- LD86 Path to ld86 tool
- BCC Path to bcc tool
@@ -11801,7 +11798,6 @@
-
-
-
--
-# Checks for programs.
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
@@ -14909,51 +14905,6 @@
-
-if ! $rump; then
-
--# Extract the first word of "xgettext", so it can be a program name with args.
--set dummy xgettext; ac_word=$2
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
--$as_echo_n "checking for $ac_word... " >&6; }
--if ${ac_cv_path_XGETTEXT+:} false; then :
-- $as_echo_n "(cached) " >&6
--else
-- case $XGETTEXT in
-- [\\/]* | ?:[\\/]*)
-- ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
-- ;;
-- *)
-- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH
--do
-- IFS=$as_save_IFS
-- test -z "$as_dir" && as_dir=.
-- for ac_exec_ext in '' $ac_executable_extensions; do
-- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-- ac_cv_path_XGETTEXT="$as_dir/$ac_word$ac_exec_ext"
-- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
-- break 2
-- fi
--done
-- done
--IFS=$as_save_IFS
--
-- test -z "$ac_cv_path_XGETTEXT" && ac_cv_path_XGETTEXT="no"
-- ;;
--esac
--fi
--XGETTEXT=$ac_cv_path_XGETTEXT
--if test -n "$XGETTEXT"; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XGETTEXT" >&5
--$as_echo "$XGETTEXT" >&6; }
--else
-- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
--$as_echo "no" >&6; }
--fi
--
--
--if test x"${XGETTEXT}" = x"no"
--then
-- as_fn_error $? "Unable to find xgettext, please install xgettext" "$LINENO" 5
--fi
-case "$host_cpu" in
-i[3456]86|x86_64|aarch64)
- # Extract the first word of "iasl", so it can be a program name with args.
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0003-version.patch xen-4.14.6/debian/patches/0003-version.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0003-version.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0003-version.patch 2023-09-21 16:55:59.000000000 +0200
@@ -12,7 +12,7 @@
6 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/xen/Makefile b/xen/Makefile
-index 46c8177..ac117b5 100644
+index 4dc707e..c0a0be3 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -382,7 +382,7 @@ delete-unfresh-files:
@@ -39,10 +39,10 @@
include/asm-$(TARGET_ARCH)/asm-offsets.h: arch/$(TARGET_ARCH)/asm-offsets.s
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
-index f07ff41..e41525d 100644
+index 35c9489..42cdde7 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
-@@ -410,9 +410,9 @@ static int __init buildinfo_init(void)
+@@ -412,9 +412,9 @@ static int __init buildinfo_init(void)
hypfs_add_dir(&buildinfo, &compileinfo, true);
hypfs_string_set_reference(&compiler, xen_compiler());
@@ -54,7 +54,7 @@
hypfs_add_leaf(&compileinfo, &compiler, true);
hypfs_add_leaf(&compileinfo, &compile_by, true);
hypfs_add_leaf(&compileinfo, &compile_date, true);
-@@ -493,8 +493,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
+@@ -495,8 +495,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
memset(&info, 0, sizeof(info));
safe_strcpy(info.compiler, deny ? xen_deny() : xen_compiler());
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0009-tools-libfsimage-prefix.diff.patch xen-4.14.6/debian/patches/0009-tools-libfsimage-prefix.diff.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0009-tools-libfsimage-prefix.diff.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0009-tools-libfsimage-prefix.diff.patch 2023-09-21 16:55:59.000000000 +0200
@@ -10,10 +10,10 @@
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/tools/Rules.mk b/tools/Rules.mk
-index 6774711..96dfe65 100644
+index ff54a07..d9263b6 100644
--- a/tools/Rules.mk
+++ b/tools/Rules.mk
-@@ -11,6 +11,8 @@ INSTALL = $(XEN_ROOT)/tools/cross-install
+@@ -16,6 +16,8 @@ INSTALL = $(XEN_ROOT)/tools/cross-install
LDFLAGS += $(PREPEND_LDFLAGS_XEN_TOOLS)
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0012-Revert-pvshim-make-PV-shim-build-selectable-from-con.patch xen-4.14.6/debian/patches/0012-Revert-pvshim-make-PV-shim-build-selectable-from-con.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0012-Revert-pvshim-make-PV-shim-build-selectable-from-con.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0012-Revert-pvshim-make-PV-shim-build-selectable-from-con.patch 2023-09-21 16:55:59.000000000 +0200
@@ -32,10 +32,10 @@
-
-CONFIG_PV_SHIM := @pvshim@
diff --git a/tools/configure.ac b/tools/configure.ac
-index 9d126b7..88e66d1 100644
+index 1808cff..3985b07 100644
--- a/tools/configure.ac
+++ b/tools/configure.ac
-@@ -503,17 +503,4 @@ AC_ARG_ENABLE([9pfs],
+@@ -501,17 +501,4 @@ AC_ARG_ENABLE([9pfs],
AC_SUBST(ninepfs)
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch xen-4.14.6/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0017-Fix-empty-fields-in-first-hypervisor-log-line.patch 2023-09-21 16:55:59.000000000 +0200
@@ -28,7 +28,7 @@
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/xen/Makefile b/xen/Makefile
-index ac117b5..3c0ec6b 100644
+index c0a0be3..89ae405 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -394,9 +394,9 @@ include/xen/compile.h: include/xen/compile.h.in
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0036-fix-spelling-errors.patch xen-4.14.6/debian/patches/0036-fix-spelling-errors.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0036-fix-spelling-errors.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0036-fix-spelling-errors.patch 2023-09-21 16:55:59.000000000 +0200
@@ -43,10 +43,10 @@
=item B<vkb-detach> I<domain-id> I<devid>
diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in
-index 2224080b..bf3b240 100644
+index be454ed..73d2caa 100644
--- a/docs/man/xl.cfg.5.pod.in
+++ b/docs/man/xl.cfg.5.pod.in
-@@ -2390,7 +2390,7 @@ If B<videoram> is set less than 128MB, an error will be triggered.
+@@ -2382,7 +2382,7 @@ If B<videoram> is set less than 128MB, an error will be triggered.
=item B<stdvga=BOOLEAN>
@@ -147,7 +147,7 @@
return -ENOSPC;
}
diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c
-index c0f91dd..ed511de 100644
+index 8b7faab..697eea5 100644
--- a/xen/arch/x86/x86_emulate/x86_emulate.c
+++ b/xen/arch/x86/x86_emulate/x86_emulate.c
@@ -3244,7 +3244,7 @@ x86_decode(
@@ -184,10 +184,10 @@
spinlock_t lock;
/* List of context (i.e iommu_domain) associated to this domain */
diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py
-index e77672d..1cbd81a 100755
+index 3980e1b..ed4ba6c 100755
--- a/xen/tools/gen-cpuid.py
+++ b/xen/tools/gen-cpuid.py
-@@ -192,7 +192,7 @@ def crunch_numbers(state):
+@@ -222,7 +222,7 @@ def crunch_numbers(state):
FXSR: [FFXSR, SSE],
# SSE is taken to mean support for the %XMM registers as well as the
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch xen-4.14.6/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/0038-x86-EFI-don-t-insert-timestamp-when-SOURCE_DATE_EPOC.patch 2023-09-21 16:55:59.000000000 +0200
@@ -21,10 +21,10 @@
1 file changed, 6 insertions(+)
diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
-index fd0acd5..45a8c8f 100644
+index d918e99..ea8d2f0 100644
--- a/xen/arch/x86/Makefile
+++ b/xen/arch/x86/Makefile
-@@ -172,6 +172,12 @@ EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
+@@ -173,6 +173,12 @@ EFI_LDFLAGS += --major-image-version=$(XEN_VERSION)
EFI_LDFLAGS += --minor-image-version=$(XEN_SUBVERSION)
EFI_LDFLAGS += --major-os-version=2 --minor-os-version=0
EFI_LDFLAGS += --major-subsystem-version=2 --minor-subsystem-version=0
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/misc/toolstestsx86_emulator-pass--no-pie--fno.patch xen-4.14.6/debian/patches/misc/toolstestsx86_emulator-pass--no-pie--fno.patch
--- xen-4.14.5+94-ge49571868d/debian/patches/misc/toolstestsx86_emulator-pass--no-pie--fno.patch 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/misc/toolstestsx86_emulator-pass--no-pie--fno.patch 2023-09-21 16:55:59.000000000 +0200
@@ -30,7 +30,7 @@
1 file changed, 4 insertions(+)
diff --git a/tools/tests/x86_emulator/Makefile b/tools/tests/x86_emulator/Makefile
-index 48b3e6d..83bc757 100644
+index 18a3f3a..124283f 100644
--- a/tools/tests/x86_emulator/Makefile
+++ b/tools/tests/x86_emulator/Makefile
@@ -283,6 +283,10 @@ HOSTCFLAGS-x86_64 := -fno-PIE
diff -Nru xen-4.14.5+94-ge49571868d/debian/patches/prefix-abiname/config-prefix.diff xen-4.14.6/debian/patches/prefix-abiname/config-prefix.diff
--- xen-4.14.5+94-ge49571868d/debian/patches/prefix-abiname/config-prefix.diff 2023-03-23 20:40:49.000000000 +0100
+++ xen-4.14.6/debian/patches/prefix-abiname/config-prefix.diff 2023-09-21 16:55:59.000000000 +0200
@@ -9,7 +9,7 @@
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/Config.mk b/Config.mk
-index ba5eb4e..99364f6 100644
+index 4a0f717..7506529 100644
--- a/Config.mk
+++ b/Config.mk
@@ -74,7 +74,7 @@ EXTRA_LIB += $(EXTRA_PREFIX)/lib
diff -Nru xen-4.14.5+94-ge49571868d/docs/man/xl.cfg.5.pod.in xen-4.14.6/docs/man/xl.cfg.5.pod.in
--- xen-4.14.5+94-ge49571868d/docs/man/xl.cfg.5.pod.in 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/docs/man/xl.cfg.5.pod.in 2023-08-07 14:11:14.000000000 +0200
@@ -2014,24 +2014,16 @@
=back
-List of keys taking a character:
+List of keys taking a character can be found in the public header file
+L<arch-x86/cpufeatureset.h|https://xenbits.xen.org/docs/unstable/hypercall/x86_64/include,public,arch-x86,cpufeatureset.h.html>
-=over 4
-
-3dnow 3dnowext 3dnowprefetch abm acpi adx aes altmovcr8 apic arat avx avx2
-avx512-4fmaps avx512-4vnniw avx512bw avx512cd avx512dq avx512er avx512f
-avx512ifma avx512pf avx512vbmi avx512vl bmi1 bmi2 clflushopt clfsh clwb cmov
-cmplegacy cmpxchg16 cmpxchg8 cmt cntxid dca de ds dscpl dtes64 erms est extapic
-f16c ffxsr fma fma4 fpu fsgsbase fxsr hle htt hypervisor ia64 ibs invpcid
-invtsc lahfsahf lm lwp mca mce misalignsse mmx mmxext monitor movbe mpx msr
-mtrr nodeid nx ospke osvw osxsave pae page1gb pat pbe pcid pclmulqdq pdcm
-perfctr_core perfctr_nb pge pku popcnt pse pse36 psn rdrand rdseed rdtscp rtm
-sha skinit smap smep smx ss sse sse2 sse3 sse4.1 sse4.2 sse4_1 sse4_2 sse4a
-ssse3 svm svm_decode svm_lbrv svm_npt svm_nrips svm_pausefilt svm_tscrate
-svm_vmcbclean syscall sysenter tbm tm tm2 topoext tsc tsc-deadline tsc_adjust
-umip vme vmx wdt x2apic xop xsave xtpr
-
-=back
+The feature names described in C<cpufeatureset.h> should be specified in all
+lowercase letters, and with underscores converted to hyphens. For example in
+order to reference feature C<LAHF_LM> the string C<lahf-lm> should be used.
+
+Note that C<clflush> is described as an option that takes a value, and that
+takes precedence over the C<clflush> flag in C<cpufeatureset.h>. The feature
+flag must be referenced as C<clfsh>.
=back
diff -Nru xen-4.14.5+94-ge49571868d/docs/misc/xen-command-line.pandoc xen-4.14.6/docs/misc/xen-command-line.pandoc
--- xen-4.14.5+94-ge49571868d/docs/misc/xen-command-line.pandoc 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/docs/misc/xen-command-line.pandoc 2023-08-07 14:11:14.000000000 +0200
@@ -756,6 +756,22 @@
restore the pre-4.13 behaviour. If specifying `no-cpuid-faulting` fixes
an issue in dom0, please report a bug.
+### dom0-cpuid
+ = List of comma separated booleans
+
+ Applicability: x86
+
+This option allows for fine tuning of the facilities dom0 will use, after
+accounting for hardware capabilities and Xen settings as enumerated via CPUID.
+
+Options are accepted in positive and negative form, to enable or disable
+specific features. All selections via this mechanism are subject to normal
+CPU Policy safety and dependency logic.
+
+This option is intended for developers to opt dom0 into non-default features,
+and is not intended for use in production circumstances. If using this option
+is necessary to fix an issue, please report a bug.
+
### dom0-iommu
= List of [ passthrough=<bool>, strict=<bool>, map-inclusive=<bool>,
map-reserved=<bool>, none ]
@@ -2108,7 +2124,7 @@
> {msr-sc,rsb,md-clear,ibpb-entry}=<bool>|{pv,hvm}=<bool>,
> bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd,
> eager-fpu,l1d-flush,branch-harden,srb-lock,
-> unpriv-mmio}=<bool> ]`
+> unpriv-mmio,gds-mit}=<bool> ]`
Controls for speculative execution sidechannel mitigations. By default, Xen
will pick the most appropriate mitigations based on compiled in support,
@@ -2154,9 +2170,10 @@
preference to here.*
* `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction
Barrier) is used on entry to Xen. This is used by default on hardware
- vulnerable to Branch Type Confusion, but for performance reasons, dom0 is
- unprotected by default. If it necessary to protect dom0 too, boot with
- `spec-ctrl=ibpb-entry`.
+ vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative
+ Return Stack Overflow if appropriate microcode has been loaded, but for
+ performance reasons dom0 is unprotected by default. If it is necessary to
+ protect dom0 too, boot with `spec-ctrl=ibpb-entry`.
If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to
select which of the thunks gets patched into the `__x86_indirect_thunk_%reg`
@@ -2219,6 +2236,14 @@
release to mitigate cross-domain leakage of data via the MMIO Stale Data
vulnerabilities.
+On all hardware, the `gds-mit=` option can be used to force or prevent Xen
+from mitigating the GDS (Gather Data Sampling) vulnerability. By default, Xen
+will mitigate GDS on hardware believed to be vulnerable. On hardware
+supporting GDS_CTRL (requires the August 2023 microcode), and where firmware
+has elected not to lock the configuration, Xen will use GDS_CTRL to mitigate
+GDS with. Otherwise, Xen will mitigate by disabling AVX, which blocks the use
+of the AVX2 Gather instructions.
+
### sync_console
> `= <boolean>`
diff -Nru xen-4.14.5+94-ge49571868d/MAINTAINERS xen-4.14.6/MAINTAINERS
--- xen-4.14.5+94-ge49571868d/MAINTAINERS 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/MAINTAINERS 2023-08-07 14:11:14.000000000 +0200
@@ -189,7 +189,6 @@
F: .gitlab-ci.yml
F: .travis.yml
F: automation/
-F: scripts/travis-build
CPU POOLS
M: Juergen Gross <jgross at suse.com>
diff -Nru xen-4.14.5+94-ge49571868d/README xen-4.14.6/README
--- xen-4.14.5+94-ge49571868d/README 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/README 2023-08-07 14:11:14.000000000 +0200
@@ -60,7 +60,6 @@
* bridge-utils package (/sbin/brctl)
* iproute package (/sbin/ip)
* GNU bison and GNU flex
- * GNU gettext
* ACPI ASL compiler (iasl)
* Libc multiarch package (e.g. libc6-dev-i386 / glibc-devel.i686).
Required when building on a 64-bit platform to build
diff -Nru xen-4.14.5+94-ge49571868d/scripts/travis-build xen-4.14.6/scripts/travis-build
--- xen-4.14.5+94-ge49571868d/scripts/travis-build 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/scripts/travis-build 1970-01-01 01:00:00.000000000 +0100
@@ -1,27 +0,0 @@
-#!/bin/bash -ex
-
-$CC --version
-
-# random config or default config
-if [[ "${RANDCONFIG}" == "y" ]]; then
- make -C xen KCONFIG_ALLCONFIG=tools/kconfig/allrandom.config randconfig
-else
- make -C xen defconfig
-fi
-
-# build up our configure options
-cfgargs=()
-cfgargs+=("--disable-stubdom") # more work needed into building this
-cfgargs+=("--disable-rombios")
-cfgargs+=("--enable-docs")
-cfgargs+=("--with-system-seabios=/usr/share/seabios/bios.bin")
-
-if [[ "${XEN_TARGET_ARCH}" == "x86_64" ]]; then
- cfgargs+=("--enable-tools")
-else
- cfgargs+=("--disable-tools") # we don't have the cross depends installed
-fi
-
-./configure "${cfgargs[@]}"
-
-make dist
diff -Nru xen-4.14.5+94-ge49571868d/tools/configure xen-4.14.6/tools/configure
--- xen-4.14.5+94-ge49571868d/tools/configure 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/configure 2023-08-07 14:11:14.000000000 +0200
@@ -685,7 +685,6 @@
SET_MAKE
AWK
IASL
-XGETTEXT
BASH
FLEX
BISON
@@ -844,7 +843,6 @@
BISON
FLEX
BASH
-XGETTEXT
AS86
LD86
BCC
@@ -1590,7 +1588,6 @@
BISON Path to Bison parser generator
FLEX Path to Flex lexical analyser generator
BASH Path to bash shell
- XGETTEXT Path to xgetttext tool
AS86 Path to as86 tool
LD86 Path to ld86 tool
BCC Path to bcc tool
@@ -4718,7 +4715,6 @@
-
# Checks for programs.
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
@@ -7826,51 +7822,6 @@
if ! $rump; then
-# Extract the first word of "xgettext", so it can be a program name with args.
-set dummy xgettext; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_XGETTEXT+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- case $XGETTEXT in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_XGETTEXT="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
-done
- done
-IFS=$as_save_IFS
-
- test -z "$ac_cv_path_XGETTEXT" && ac_cv_path_XGETTEXT="no"
- ;;
-esac
-fi
-XGETTEXT=$ac_cv_path_XGETTEXT
-if test -n "$XGETTEXT"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XGETTEXT" >&5
-$as_echo "$XGETTEXT" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-
-if test x"${XGETTEXT}" = x"no"
-then
- as_fn_error $? "Unable to find xgettext, please install xgettext" "$LINENO" 5
-fi
case "$host_cpu" in
i[3456]86|x86_64|aarch64)
# Extract the first word of "iasl", so it can be a program name with args.
diff -Nru xen-4.14.5+94-ge49571868d/tools/configure.ac xen-4.14.6/tools/configure.ac
--- xen-4.14.5+94-ge49571868d/tools/configure.ac 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/configure.ac 2023-08-07 14:11:14.000000000 +0200
@@ -298,7 +298,6 @@
AC_ARG_VAR([BISON], [Path to Bison parser generator])
AC_ARG_VAR([FLEX], [Path to Flex lexical analyser generator])
AC_ARG_VAR([BASH], [Path to bash shell])
-AC_ARG_VAR([XGETTEXT], [Path to xgetttext tool])
AC_ARG_VAR([AS86], [Path to as86 tool])
AC_ARG_VAR([LD86], [Path to ld86 tool])
AC_ARG_VAR([BCC], [Path to bcc tool])
@@ -381,7 +380,6 @@
if ! $rump; then
-AX_PATH_PROG_OR_FAIL([XGETTEXT], [xgettext])
dnl as86, ld86, bcc and iasl are only required when the host system is x86*.
dnl "host" here means the platform on which the hypervisor and tools is
dnl going to run, not the platform on which we are building (known as
diff -Nru xen-4.14.5+94-ge49571868d/tools/flask/policy/Makefile.common xen-4.14.6/tools/flask/policy/Makefile.common
--- xen-4.14.5+94-ge49571868d/tools/flask/policy/Makefile.common 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/flask/policy/Makefile.common 2023-08-07 14:11:14.000000000 +0200
@@ -35,7 +35,7 @@
#
########################################
-POLICY_FILENAME = $(FLASK_BUILD_DIR)/xenpolicy-$(shell $(MAKE) -C $(XEN_ROOT)/xen xenversion --no-print-directory)
+POLICY_FILENAME = $(FLASK_BUILD_DIR)/xenpolicy-$(XEN_FULLVERSION)
POLICY_LOADPATH = /boot
# List of policy versions supported by the hypervisor
diff -Nru xen-4.14.5+94-ge49571868d/tools/fuzz/cpu-policy/afl-policy-fuzzer.c xen-4.14.6/tools/fuzz/cpu-policy/afl-policy-fuzzer.c
--- xen-4.14.5+94-ge49571868d/tools/fuzz/cpu-policy/afl-policy-fuzzer.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/fuzz/cpu-policy/afl-policy-fuzzer.c 2023-08-07 14:11:14.000000000 +0200
@@ -9,24 +9,26 @@
#include <getopt.h>
#include <xen-tools/libs.h>
-#include <xen/lib/x86/cpuid.h>
-#include <xen/lib/x86/msr.h>
+#include <xen/lib/x86/cpu-policy.h>
#include <xen/domctl.h>
static bool debug;
#define EMPTY_LEAF ((struct cpuid_leaf){})
-static void check_cpuid(struct cpuid_policy *cp)
+static void check_policy(struct cpu_policy *cp)
{
- struct cpuid_policy new = {};
+ struct cpu_policy new = {};
size_t data_end;
xen_cpuid_leaf_t *leaves = malloc(CPUID_MAX_SERIALISED_LEAVES *
sizeof(xen_cpuid_leaf_t));
- unsigned int nr = CPUID_MAX_SERIALISED_LEAVES;
+ xen_msr_entry_t *msrs = malloc(MSR_MAX_SERIALISED_ENTRIES *
+ sizeof(xen_cpuid_leaf_t));
+ unsigned int nr_leaves = CPUID_MAX_SERIALISED_LEAVES;
+ unsigned int nr_msrs = MSR_MAX_SERIALISED_ENTRIES;
int rc;
- if ( !leaves )
+ if ( !leaves || !msrs )
return;
/*
@@ -46,16 +48,23 @@
* Fix up the data in the source policy which isn't expected to survive
* serialisation.
*/
- x86_cpuid_policy_clear_out_of_range_leaves(cp);
- x86_cpuid_policy_recalc_synth(cp);
+ x86_cpu_policy_clear_out_of_range_leaves(cp);
+ x86_cpu_policy_recalc_synth(cp);
/* Serialise... */
- rc = x86_cpuid_copy_to_buffer(cp, leaves, &nr);
+ rc = x86_cpuid_copy_to_buffer(cp, leaves, &nr_leaves);
+ assert(rc == 0);
+ assert(nr_leaves <= CPUID_MAX_SERIALISED_LEAVES);
+
+ rc = x86_msr_copy_to_buffer(cp, msrs, &nr_msrs);
assert(rc == 0);
- assert(nr <= CPUID_MAX_SERIALISED_LEAVES);
+ assert(nr_msrs <= MSR_MAX_SERIALISED_ENTRIES);
/* ... and deserialise. */
- rc = x86_cpuid_copy_from_buffer(&new, leaves, nr, NULL, NULL);
+ rc = x86_cpuid_copy_from_buffer(&new, leaves, nr_leaves, NULL, NULL);
+ assert(rc == 0);
+
+ rc = x86_msr_copy_from_buffer(&new, msrs, nr_msrs, NULL);
assert(rc == 0);
/* The result after serialisation/deserialisaion should be identical... */
@@ -77,28 +86,6 @@
free(leaves);
}
-static void check_msr(struct msr_policy *mp)
-{
- struct msr_policy new = {};
- xen_msr_entry_t *msrs = malloc(MSR_MAX_SERIALISED_ENTRIES *
- sizeof(xen_msr_entry_t));
- unsigned int nr = MSR_MAX_SERIALISED_ENTRIES;
- int rc;
-
- if ( !msrs )
- return;
-
- rc = x86_msr_copy_to_buffer(mp, msrs, &nr);
- assert(rc == 0);
- assert(nr <= MSR_MAX_SERIALISED_ENTRIES);
-
- rc = x86_msr_copy_from_buffer(&new, msrs, nr, NULL);
- assert(rc == 0);
- assert(memcmp(mp, &new, sizeof(*mp)) == 0);
-
- free(msrs);
-}
-
int main(int argc, char **argv)
{
FILE *fp = NULL;
@@ -145,8 +132,7 @@
while ( __AFL_LOOP(1000) )
#endif
{
- struct cpuid_policy *cp = NULL;
- struct msr_policy *mp = NULL;
+ struct cpu_policy *cp = NULL;
if ( fp != stdin )
{
@@ -161,22 +147,18 @@
}
cp = calloc(1, sizeof(*cp));
- mp = calloc(1, sizeof(*mp));
- if ( !cp || !mp )
+ if ( !cp )
goto skip;
fread(cp, sizeof(*cp), 1, fp);
- fread(mp, sizeof(*mp), 1, fp);
if ( !feof(fp) )
goto skip;
- check_cpuid(cp);
- check_msr(mp);
+ check_policy(cp);
skip:
free(cp);
- free(mp);
if ( fp != stdin )
{
diff -Nru xen-4.14.5+94-ge49571868d/tools/fuzz/x86_instruction_emulator/fuzz-emul.c xen-4.14.6/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
--- xen-4.14.5+94-ge49571868d/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/fuzz/x86_instruction_emulator/fuzz-emul.c 2023-08-07 14:11:14.000000000 +0200
@@ -896,7 +896,7 @@
struct x86_emulate_ctxt ctxt = {
.data = &state,
.regs = &input.regs,
- .cpuid = &cp,
+ .cpu_policy = &cp,
.addr_size = 8 * sizeof(void *),
.sp_size = 8 * sizeof(void *),
};
diff -Nru xen-4.14.5+94-ge49571868d/tools/fuzz/x86_instruction_emulator/Makefile xen-4.14.6/tools/fuzz/x86_instruction_emulator/Makefile
--- xen-4.14.5+94-ge49571868d/tools/fuzz/x86_instruction_emulator/Makefile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/fuzz/x86_instruction_emulator/Makefile 2023-08-07 14:11:14.000000000 +0200
@@ -28,7 +28,7 @@
x86.h := $(addprefix $(XEN_ROOT)/tools/include/xen/asm/,\
x86-vendors.h x86-defns.h msr-index.h) \
$(addprefix $(XEN_ROOT)/tools/include/xen/lib/x86/, \
- cpuid.h cpuid-autogen.h)
+ cpu-policy.h cpuid-autogen.h)
x86_emulate.h := x86-emulate.h x86_emulate/x86_emulate.h $(x86.h)
# x86-emulate.c will be implicit for both
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxc/include/xenctrl.h xen-4.14.6/tools/libxc/include/xenctrl.h
--- xen-4.14.5+94-ge49571868d/tools/libxc/include/xenctrl.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxc/include/xenctrl.h 2023-08-07 14:11:14.000000000 +0200
@@ -1820,6 +1820,21 @@
};
/*
+ * MSR policy data.
+ *
+ * The format of the policy string is the following:
+ * '1' -> force to 1
+ * '0' -> force to 0
+ * 'x' -> we don't care (use default)
+ * 'k' -> pass through host value
+ */
+struct xc_msr {
+ uint32_t index;
+ char policy[65];
+};
+#define XC_MSR_INPUT_UNUSED 0xffffffffu
+
+/*
* Make adjustments to the CPUID settings for a domain.
*
* This path is used in two cases. First, for fresh boots of the domain, and
@@ -1830,13 +1845,15 @@
* Either pass a full new @featureset (and @nr_features), or adjust individual
* features (@pae).
*
- * Then (optionally) apply legacy XEND overrides (@xend) to the result.
+ * Then (optionally) apply legacy XEND CPUID overrides (@xend) or MSR (@msr)
+ * to the result.
*/
int xc_cpuid_apply_policy(xc_interface *xch,
uint32_t domid, bool restore,
const uint32_t *featureset,
unsigned int nr_features, bool pae,
- const struct xc_xend_cpuid *xend);
+ const struct xc_xend_cpuid *xend,
+ const struct xc_msr *msr);
int xc_mca_op(xc_interface *xch, struct xen_mc *mc);
int xc_mca_op_inject_v2(xc_interface *xch, unsigned int flags,
xc_cpumap_t cpumap, unsigned int nr_cpus);
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxc/xc_cpuid_x86.c xen-4.14.6/tools/libxc/xc_cpuid_x86.c
--- xen-4.14.5+94-ge49571868d/tools/libxc/xc_cpuid_x86.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxc/xc_cpuid_x86.c 2023-08-07 14:11:14.000000000 +0200
@@ -148,9 +148,9 @@
sysctl.cmd = XEN_SYSCTL_get_cpu_policy;
sysctl.u.cpu_policy.index = index;
sysctl.u.cpu_policy.nr_leaves = *nr_leaves;
- set_xen_guest_handle(sysctl.u.cpu_policy.cpuid_policy, leaves);
+ set_xen_guest_handle(sysctl.u.cpu_policy.leaves, leaves);
sysctl.u.cpu_policy.nr_msrs = *nr_msrs;
- set_xen_guest_handle(sysctl.u.cpu_policy.msr_policy, msrs);
+ set_xen_guest_handle(sysctl.u.cpu_policy.msrs, msrs);
ret = do_sysctl(xch, &sysctl);
@@ -186,9 +186,9 @@
domctl.cmd = XEN_DOMCTL_get_cpu_policy;
domctl.domain = domid;
domctl.u.cpu_policy.nr_leaves = *nr_leaves;
- set_xen_guest_handle(domctl.u.cpu_policy.cpuid_policy, leaves);
+ set_xen_guest_handle(domctl.u.cpu_policy.leaves, leaves);
domctl.u.cpu_policy.nr_msrs = *nr_msrs;
- set_xen_guest_handle(domctl.u.cpu_policy.msr_policy, msrs);
+ set_xen_guest_handle(domctl.u.cpu_policy.msrs, msrs);
ret = do_domctl(xch, &domctl);
@@ -235,9 +235,9 @@
domctl.cmd = XEN_DOMCTL_set_cpu_policy;
domctl.domain = domid;
domctl.u.cpu_policy.nr_leaves = nr_leaves;
- set_xen_guest_handle(domctl.u.cpu_policy.cpuid_policy, leaves);
+ set_xen_guest_handle(domctl.u.cpu_policy.leaves, leaves);
domctl.u.cpu_policy.nr_msrs = nr_msrs;
- set_xen_guest_handle(domctl.u.cpu_policy.msr_policy, msrs);
+ set_xen_guest_handle(domctl.u.cpu_policy.msrs, msrs);
domctl.u.cpu_policy.err_leaf = -1;
domctl.u.cpu_policy.err_subleaf = -1;
domctl.u.cpu_policy.err_msr = -1;
@@ -425,16 +425,177 @@
return rc;
}
+static int compare_msr(const void *l, const void *r)
+{
+ const xen_msr_entry_t *lhs = l;
+ const xen_msr_entry_t *rhs = r;
+
+ if ( lhs->idx == rhs->idx )
+ return 0;
+
+ return lhs->idx < rhs->idx ? -1 : 1;
+}
+
+static xen_msr_entry_t *find_msr(
+ xen_msr_entry_t *msrs, unsigned int nr_msrs,
+ uint32_t index)
+{
+ const xen_msr_entry_t key = { .idx = index };
+
+ return bsearch(&key, msrs, nr_msrs, sizeof(*msrs), compare_msr);
+}
+
+
+static int xc_msr_policy(xc_interface *xch, domid_t domid,
+ const struct xc_msr *msr)
+{
+ int rc;
+ bool hvm;
+ xc_dominfo_t di;
+ unsigned int nr_leaves, nr_msrs;
+ uint32_t err_leaf = -1, err_subleaf = -1, err_msr = -1;
+ /*
+ * Three full policies. The host, default for the domain type,
+ * and domain current.
+ */
+ xen_msr_entry_t *host = NULL, *def = NULL, *cur = NULL;
+ unsigned int nr_host, nr_def, nr_cur;
+
+ if ( xc_domain_getinfo(xch, domid, 1, &di) != 1 ||
+ di.domid != domid )
+ {
+ ERROR("Failed to obtain d%d info", domid);
+ rc = -ESRCH;
+ goto out;
+ }
+ hvm = di.hvm;
+
+ rc = xc_get_cpu_policy_size(xch, &nr_leaves, &nr_msrs);
+ if ( rc )
+ {
+ PERROR("Failed to obtain policy info size");
+ rc = -errno;
+ goto out;
+ }
+
+ if ( (host = calloc(nr_msrs, sizeof(*host))) == NULL ||
+ (def = calloc(nr_msrs, sizeof(*def))) == NULL ||
+ (cur = calloc(nr_msrs, sizeof(*cur))) == NULL )
+ {
+ ERROR("Unable to allocate memory for %u CPUID leaves", nr_leaves);
+ rc = -ENOMEM;
+ goto out;
+ }
+
+ /* Get the domain's current policy. */
+ nr_leaves = 0;
+ nr_cur = nr_msrs;
+ rc = xc_get_domain_cpu_policy(xch, domid, &nr_leaves, NULL, &nr_cur, cur);
+ if ( rc )
+ {
+ PERROR("Failed to obtain d%d current policy", domid);
+ rc = -errno;
+ goto out;
+ }
+
+ /* Get the domain type's default policy. */
+ nr_leaves = 0;
+ nr_def = nr_msrs;
+ rc = xc_get_system_cpu_policy(xch, hvm ? XEN_SYSCTL_cpu_policy_hvm_default
+ : XEN_SYSCTL_cpu_policy_pv_default,
+ &nr_leaves, NULL, &nr_def, def);
+ if ( rc )
+ {
+ PERROR("Failed to obtain %s def policy", hvm ? "hvm" : "pv");
+ rc = -errno;
+ goto out;
+ }
+
+ /* Get the host policy. */
+ nr_leaves = 0;
+ nr_host = nr_msrs;
+ rc = xc_get_system_cpu_policy(xch, XEN_SYSCTL_cpu_policy_host,
+ &nr_leaves, NULL, &nr_host, host);
+ if ( rc )
+ {
+ PERROR("Failed to obtain host policy");
+ rc = -errno;
+ goto out;
+ }
+
+ for ( ; msr->index != XC_MSR_INPUT_UNUSED; ++msr )
+ {
+ xen_msr_entry_t *cur_msr = find_msr(cur, nr_cur, msr->index);
+ const xen_msr_entry_t *def_msr = find_msr(def, nr_def, msr->index);
+ const xen_msr_entry_t *host_msr = find_msr(host, nr_host, msr->index);
+ unsigned int i;
+
+ if ( cur_msr == NULL || def_msr == NULL || host_msr == NULL )
+ {
+ ERROR("Missing MSR %#x", msr->index);
+ rc = -ENOENT;
+ goto out;
+ }
+
+ for ( i = 0; i < ARRAY_SIZE(msr->policy) - 1; i++ )
+ {
+ bool val;
+
+ if ( msr->policy[i] == '1' )
+ val = true;
+ else if ( msr->policy[i] == '0' )
+ val = false;
+ else if ( msr->policy[i] == 'x' )
+ val = test_bit(63 - i, &def_msr->val);
+ else if ( msr->policy[i] == 'k' )
+ val = test_bit(63 - i, &host_msr->val);
+ else
+ {
+ ERROR("MSR index %#x: bad character '%c' in policy string '%s'",
+ msr->index, msr->policy[i], msr->policy);
+ rc = -EINVAL;
+ goto out;
+ }
+
+ if ( val )
+ set_bit(63 - i, &cur_msr->val);
+ else
+ clear_bit(63 - i, &cur_msr->val);
+ }
+ }
+
+ /* Feed the transformed policy back up to Xen. */
+ rc = xc_set_domain_cpu_policy(xch, domid, 0, NULL, nr_cur, cur,
+ &err_leaf, &err_subleaf, &err_msr);
+ if ( rc )
+ {
+ PERROR("Failed to set d%d's policy (err leaf %#x, subleaf %#x, msr %#x)",
+ domid, err_leaf, err_subleaf, err_msr);
+ rc = -errno;
+ goto out;
+ }
+
+ /* Success! */
+
+ out:
+ free(cur);
+ free(def);
+ free(host);
+
+ return rc;
+}
+
int xc_cpuid_apply_policy(xc_interface *xch, uint32_t domid, bool restore,
const uint32_t *featureset, unsigned int nr_features,
bool pae,
- const struct xc_xend_cpuid *xend)
+ const struct xc_xend_cpuid *xend,
+ const struct xc_msr *msr)
{
int rc;
xc_dominfo_t di;
unsigned int i, nr_leaves, nr_msrs;
xen_cpuid_leaf_t *leaves = NULL;
- struct cpuid_policy *p = NULL;
+ struct cpu_policy *p = NULL;
uint32_t err_leaf = -1, err_subleaf = -1, err_msr = -1;
uint32_t host_featureset[FEATURESET_NR_ENTRIES] = {};
uint32_t len = ARRAY_SIZE(host_featureset);
@@ -558,7 +719,7 @@
const uint32_t *dfs;
if ( !test_bit(b, disabled_features) ||
- !(dfs = x86_cpuid_lookup_deep_deps(b)) )
+ !(dfs = x86_cpu_policy_lookup_deep_deps(b)) )
continue;
for ( i = 0; i < ARRAY_SIZE(disabled_features); ++i )
@@ -568,7 +729,7 @@
}
}
- cpuid_featureset_to_policy(feat, p);
+ x86_cpu_featureset_to_policy(feat, p);
}
else
{
@@ -671,6 +832,13 @@
if ( xend && (rc = xc_cpuid_xend_policy(xch, domid, xend)) )
goto out;
+ if ( msr )
+ {
+ rc = xc_msr_policy(xch, domid, msr);
+ if ( rc )
+ goto out;
+ }
+
rc = 0;
out:
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_cpuid.c xen-4.14.6/tools/libxl/libxl_cpuid.c
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_cpuid.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_cpuid.c 2023-08-07 14:11:14.000000000 +0200
@@ -14,27 +14,38 @@
#include "libxl_internal.h"
+#include <xen/lib/x86/cpu-policy.h>
+
int libxl__cpuid_policy_is_empty(libxl_cpuid_policy_list *pl)
{
- return !libxl_cpuid_policy_list_length(pl);
+ return !*pl || (!libxl_cpuid_policy_list_length(pl) && !(*pl)->msr);
}
-void libxl_cpuid_dispose(libxl_cpuid_policy_list *p_cpuid_list)
+void libxl_cpuid_dispose(libxl_cpuid_policy_list *pl)
{
- int i, j;
- libxl_cpuid_policy_list cpuid_list = *p_cpuid_list;
+ libxl_cpuid_policy_list policy = *pl;
- if (cpuid_list == NULL)
+ if (policy == NULL)
return;
- for (i = 0; cpuid_list[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) {
- for (j = 0; j < 4; j++)
- if (cpuid_list[i].policy[j] != NULL) {
- free(cpuid_list[i].policy[j]);
- cpuid_list[i].policy[j] = NULL;
+
+ if (policy->cpuid) {
+ unsigned int i, j;
+ struct xc_xend_cpuid *cpuid_list = policy->cpuid;
+
+ for (i = 0; cpuid_list[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) {
+ for (j = 0; j < 4; j++) {
+ if (cpuid_list[i].policy[j] != NULL) {
+ free(cpuid_list[i].policy[j]);
+ }
}
+ }
+ free(policy->cpuid);
}
- free(cpuid_list);
- *p_cpuid_list = NULL;
+
+ free(policy->msr);
+
+ free(policy);
+ *pl = NULL;
return;
}
@@ -51,7 +62,7 @@
* Used for the static structure describing all features.
*/
struct cpuid_flags {
- char* name;
+ const char *name;
uint32_t leaf;
uint32_t subleaf;
int reg;
@@ -62,11 +73,17 @@
/* go through the dynamic array finding the entry for a specified leaf.
* if no entry exists, allocate one and return that.
*/
-static libxl_cpuid_policy_list cpuid_find_match(libxl_cpuid_policy_list *list,
- uint32_t leaf, uint32_t subleaf)
+static struct xc_xend_cpuid *cpuid_find_match(libxl_cpuid_policy_list *pl,
+ uint32_t leaf, uint32_t subleaf)
{
+ libxl_cpuid_policy_list policy = *pl;
+ struct xc_xend_cpuid **list;
int i = 0;
+ if (policy == NULL)
+ policy = *pl = calloc(1, sizeof(*policy));
+
+ list = &policy->cpuid;
if (*list != NULL) {
for (i = 0; (*list)[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) {
if ((*list)[i].input[0] == leaf && (*list)[i].input[1] == subleaf)
@@ -81,12 +98,138 @@
return *list + i;
}
+static int cpuid_add(libxl_cpuid_policy_list *policy,
+ const struct cpuid_flags *flag, const char *val)
+{
+ struct xc_xend_cpuid *entry = cpuid_find_match(policy, flag->leaf,
+ flag->subleaf);
+ unsigned long num;
+ char flags[33], *resstr, *endptr;
+ unsigned int i;
+
+ resstr = entry->policy[flag->reg - 1];
+ num = strtoul(val, &endptr, 0);
+ flags[flag->length] = 0;
+ if (endptr != val) {
+ /* if this was a valid number, write the binary form into the string */
+ for (i = 0; i < flag->length; i++) {
+ flags[flag->length - 1 - i] = "01"[(num >> i) & 1];
+ }
+ } else {
+ switch(val[0]) {
+ case 'x': case 'k': case 's':
+ memset(flags, val[0], flag->length);
+ break;
+ default:
+ return 3;
+ }
+ }
+
+ if (resstr == NULL) {
+ resstr = strdup("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+ }
+
+ /* the family and model entry is potentially split up across
+ * two fields in Fn0000_0001_EAX, so handle them here separately.
+ */
+ if (!strcmp(flag->name, "family")) {
+ if (num < 16) {
+ memcpy(resstr + (32 - 4) - flag->bit, flags + 4, 4);
+ memcpy(resstr + (32 - 8) - 20, "00000000", 8);
+ } else {
+ num -= 15;
+ memcpy(resstr + (32 - 4) - flag->bit, "1111", 4);
+ for (i = 0; i < 7; i++) {
+ flags[7 - i] = "01"[num & 1];
+ num >>= 1;
+ }
+ memcpy(resstr + (32 - 8) - 20, flags, 8);
+ }
+ } else if (!strcmp(flag->name, "model")) {
+ memcpy(resstr + (32 - 4) - 16, flags, 4);
+ memcpy(resstr + (32 - 4) - flag->bit, flags + 4, 4);
+ } else {
+ memcpy(resstr + (32 - flag->length) - flag->bit, flags,
+ flag->length);
+ }
+ entry->policy[flag->reg - 1] = resstr;
+
+ return 0;
+}
+
+static struct xc_msr *msr_find_match(libxl_cpuid_policy_list *pl, uint32_t idx)
+{
+ unsigned int i = 0;
+ libxl_cpuid_policy_list policy = *pl;
+
+ if (policy == NULL)
+ policy = *pl = calloc(1, sizeof(*policy));
+
+ if (policy->msr != NULL) {
+ for (i = 0; policy->msr[i].index != XC_MSR_INPUT_UNUSED; i++) {
+ if (policy->msr[i].index == idx) {
+ return &policy->msr[i];
+ }
+ }
+ }
+
+ policy->msr = realloc(policy->msr, sizeof(struct xc_msr) * (i + 2));
+ policy->msr[i].index = idx;
+ memset(policy->msr[i].policy, 'x', ARRAY_SIZE(policy->msr[0].policy) - 1);
+ policy->msr[i].policy[ARRAY_SIZE(policy->msr[0].policy) - 1] = '\0';
+ policy->msr[i + 1].index = XC_MSR_INPUT_UNUSED;
+
+ return &policy->msr[i];
+}
+
+static int msr_add(libxl_cpuid_policy_list *policy, uint32_t idx,
+ unsigned int bit, const char *val)
+{
+ struct xc_msr *entry = msr_find_match(policy, idx);
+
+ /* Only allow options taking a character for MSRs, no values allowed. */
+ if (strlen(val) != 1)
+ return 3;
+
+ switch (val[0]) {
+ case '0':
+ case '1':
+ case 'x':
+ case 'k':
+ entry->policy[63 - bit] = val[0];
+ break;
+
+ case 's':
+ /* Translate s -> k as xc_msr doesn't support the deprecated 's'. */
+ entry->policy[63 - bit] = 'k';
+ break;
+
+ default:
+ return 3;
+ }
+
+ return 0;
+}
+
+struct feature_name {
+ const char *name;
+ unsigned int bit;
+};
+
+static int search_feature(const void *a, const void *b)
+{
+ const char *key = a;
+ const char *feat = ((const struct feature_name *)b)->name;
+
+ return strcmp(key, feat);
+}
+
/* parse a single key=value pair and translate it into the libxc
* used interface using 32-characters strings for each register.
* Will overwrite earlier entries and thus can be called multiple
* times.
*/
-int libxl_cpuid_parse_config(libxl_cpuid_policy_list *cpuid, const char* str)
+int libxl_cpuid_parse_config(libxl_cpuid_policy_list *policy, const char* str)
{
#define NA XEN_CPUID_INPUT_UNUSED
static const struct cpuid_flags cpuid_flags[] = {
@@ -101,187 +244,42 @@
{"proccount", 0x00000001, NA, CPUID_REG_EBX, 16, 8},
{"localapicid", 0x00000001, NA, CPUID_REG_EBX, 24, 8},
- {"sse3", 0x00000001, NA, CPUID_REG_ECX, 0, 1},
- {"pclmulqdq", 0x00000001, NA, CPUID_REG_ECX, 1, 1},
- {"dtes64", 0x00000001, NA, CPUID_REG_ECX, 2, 1},
- {"monitor", 0x00000001, NA, CPUID_REG_ECX, 3, 1},
- {"dscpl", 0x00000001, NA, CPUID_REG_ECX, 4, 1},
- {"vmx", 0x00000001, NA, CPUID_REG_ECX, 5, 1},
- {"smx", 0x00000001, NA, CPUID_REG_ECX, 6, 1},
{"est", 0x00000001, NA, CPUID_REG_ECX, 7, 1},
- {"tm2", 0x00000001, NA, CPUID_REG_ECX, 8, 1},
- {"ssse3", 0x00000001, NA, CPUID_REG_ECX, 9, 1},
{"cntxid", 0x00000001, NA, CPUID_REG_ECX, 10, 1},
- {"fma", 0x00000001, NA, CPUID_REG_ECX, 12, 1},
{"cmpxchg16", 0x00000001, NA, CPUID_REG_ECX, 13, 1},
- {"xtpr", 0x00000001, NA, CPUID_REG_ECX, 14, 1},
- {"pdcm", 0x00000001, NA, CPUID_REG_ECX, 15, 1},
- {"pcid", 0x00000001, NA, CPUID_REG_ECX, 17, 1},
- {"dca", 0x00000001, NA, CPUID_REG_ECX, 18, 1},
/* Linux uses sse4_{1,2}. Keep sse4.{1,2} for compatibility */
{"sse4_1", 0x00000001, NA, CPUID_REG_ECX, 19, 1},
{"sse4.1", 0x00000001, NA, CPUID_REG_ECX, 19, 1},
{"sse4_2", 0x00000001, NA, CPUID_REG_ECX, 20, 1},
{"sse4.2", 0x00000001, NA, CPUID_REG_ECX, 20, 1},
- {"x2apic", 0x00000001, NA, CPUID_REG_ECX, 21, 1},
- {"movbe", 0x00000001, NA, CPUID_REG_ECX, 22, 1},
- {"popcnt", 0x00000001, NA, CPUID_REG_ECX, 23, 1},
- {"tsc-deadline", 0x00000001, NA, CPUID_REG_ECX, 24, 1},
{"aes", 0x00000001, NA, CPUID_REG_ECX, 25, 1},
- {"xsave", 0x00000001, NA, CPUID_REG_ECX, 26, 1},
- {"osxsave", 0x00000001, NA, CPUID_REG_ECX, 27, 1},
- {"avx", 0x00000001, NA, CPUID_REG_ECX, 28, 1},
- {"f16c", 0x00000001, NA, CPUID_REG_ECX, 29, 1},
- {"rdrand", 0x00000001, NA, CPUID_REG_ECX, 30, 1},
- {"hypervisor", 0x00000001, NA, CPUID_REG_ECX, 31, 1},
-
- {"fpu", 0x00000001, NA, CPUID_REG_EDX, 0, 1},
- {"vme", 0x00000001, NA, CPUID_REG_EDX, 1, 1},
- {"de", 0x00000001, NA, CPUID_REG_EDX, 2, 1},
- {"pse", 0x00000001, NA, CPUID_REG_EDX, 3, 1},
- {"tsc", 0x00000001, NA, CPUID_REG_EDX, 4, 1},
- {"msr", 0x00000001, NA, CPUID_REG_EDX, 5, 1},
- {"pae", 0x00000001, NA, CPUID_REG_EDX, 6, 1},
- {"mce", 0x00000001, NA, CPUID_REG_EDX, 7, 1},
+
{"cmpxchg8", 0x00000001, NA, CPUID_REG_EDX, 8, 1},
- {"apic", 0x00000001, NA, CPUID_REG_EDX, 9, 1},
{"sysenter", 0x00000001, NA, CPUID_REG_EDX, 11, 1},
- {"mtrr", 0x00000001, NA, CPUID_REG_EDX, 12, 1},
- {"pge", 0x00000001, NA, CPUID_REG_EDX, 13, 1},
- {"mca", 0x00000001, NA, CPUID_REG_EDX, 14, 1},
- {"cmov", 0x00000001, NA, CPUID_REG_EDX, 15, 1},
- {"pat", 0x00000001, NA, CPUID_REG_EDX, 16, 1},
- {"pse36", 0x00000001, NA, CPUID_REG_EDX, 17, 1},
{"psn", 0x00000001, NA, CPUID_REG_EDX, 18, 1},
{"clfsh", 0x00000001, NA, CPUID_REG_EDX, 19, 1},
- {"ds", 0x00000001, NA, CPUID_REG_EDX, 21, 1},
- {"acpi", 0x00000001, NA, CPUID_REG_EDX, 22, 1},
- {"mmx", 0x00000001, NA, CPUID_REG_EDX, 23, 1},
- {"fxsr", 0x00000001, NA, CPUID_REG_EDX, 24, 1},
- {"sse", 0x00000001, NA, CPUID_REG_EDX, 25, 1},
- {"sse2", 0x00000001, NA, CPUID_REG_EDX, 26, 1},
- {"ss", 0x00000001, NA, CPUID_REG_EDX, 27, 1},
- {"htt", 0x00000001, NA, CPUID_REG_EDX, 28, 1},
{"tm", 0x00000001, NA, CPUID_REG_EDX, 29, 1},
{"ia64", 0x00000001, NA, CPUID_REG_EDX, 30, 1},
{"pbe", 0x00000001, NA, CPUID_REG_EDX, 31, 1},
{"arat", 0x00000006, NA, CPUID_REG_EAX, 2, 1},
- {"fsgsbase", 0x00000007, 0, CPUID_REG_EBX, 0, 1},
{"tsc_adjust", 0x00000007, 0, CPUID_REG_EBX, 1, 1},
- {"bmi1", 0x00000007, 0, CPUID_REG_EBX, 3, 1},
- {"hle", 0x00000007, 0, CPUID_REG_EBX, 4, 1},
- {"avx2", 0x00000007, 0, CPUID_REG_EBX, 5, 1},
- {"smep", 0x00000007, 0, CPUID_REG_EBX, 7, 1},
- {"bmi2", 0x00000007, 0, CPUID_REG_EBX, 8, 1},
- {"erms", 0x00000007, 0, CPUID_REG_EBX, 9, 1},
- {"invpcid", 0x00000007, 0, CPUID_REG_EBX, 10, 1},
- {"rtm", 0x00000007, 0, CPUID_REG_EBX, 11, 1},
{"cmt", 0x00000007, 0, CPUID_REG_EBX, 12, 1},
- {"mpx", 0x00000007, 0, CPUID_REG_EBX, 14, 1},
- {"avx512f", 0x00000007, 0, CPUID_REG_EBX, 16, 1},
- {"avx512dq", 0x00000007, 0, CPUID_REG_EBX, 17, 1},
- {"rdseed", 0x00000007, 0, CPUID_REG_EBX, 18, 1},
- {"adx", 0x00000007, 0, CPUID_REG_EBX, 19, 1},
- {"smap", 0x00000007, 0, CPUID_REG_EBX, 20, 1},
- {"avx512-ifma", 0x00000007, 0, CPUID_REG_EBX, 21, 1},
- {"clflushopt", 0x00000007, 0, CPUID_REG_EBX, 23, 1},
- {"clwb", 0x00000007, 0, CPUID_REG_EBX, 24, 1},
- {"avx512pf", 0x00000007, 0, CPUID_REG_EBX, 26, 1},
- {"avx512er", 0x00000007, 0, CPUID_REG_EBX, 27, 1},
- {"avx512cd", 0x00000007, 0, CPUID_REG_EBX, 28, 1},
- {"sha", 0x00000007, 0, CPUID_REG_EBX, 29, 1},
- {"avx512bw", 0x00000007, 0, CPUID_REG_EBX, 30, 1},
- {"avx512vl", 0x00000007, 0, CPUID_REG_EBX, 31, 1},
-
- {"prefetchwt1", 0x00000007, 0, CPUID_REG_ECX, 0, 1},
- {"avx512-vbmi", 0x00000007, 0, CPUID_REG_ECX, 1, 1},
- {"umip", 0x00000007, 0, CPUID_REG_ECX, 2, 1},
- {"pku", 0x00000007, 0, CPUID_REG_ECX, 3, 1},
- {"ospke", 0x00000007, 0, CPUID_REG_ECX, 4, 1},
- {"avx512-vbmi2", 0x00000007, 0, CPUID_REG_ECX, 6, 1},
- {"cet-ss", 0x00000007, 0, CPUID_REG_ECX, 7, 1},
- {"gfni", 0x00000007, 0, CPUID_REG_ECX, 8, 1},
- {"vaes", 0x00000007, 0, CPUID_REG_ECX, 9, 1},
- {"vpclmulqdq", 0x00000007, 0, CPUID_REG_ECX, 10, 1},
- {"avx512-vnni", 0x00000007, 0, CPUID_REG_ECX, 11, 1},
- {"avx512-bitalg",0x00000007, 0, CPUID_REG_ECX, 12, 1},
- {"avx512-vpopcntdq",0x00000007,0,CPUID_REG_ECX, 14, 1},
- {"rdpid", 0x00000007, 0, CPUID_REG_ECX, 22, 1},
- {"cldemote", 0x00000007, 0, CPUID_REG_ECX, 25, 1},
-
- {"avx512-4vnniw",0x00000007, 0, CPUID_REG_EDX, 2, 1},
- {"avx512-4fmaps",0x00000007, 0, CPUID_REG_EDX, 3, 1},
- {"srbds-ctrl", 0x00000007, 0, CPUID_REG_EDX, 9, 1},
- {"md-clear", 0x00000007, 0, CPUID_REG_EDX, 10, 1},
- {"serialize", 0x00000007, 0, CPUID_REG_EDX, 14, 1},
- {"tsxldtrk", 0x00000007, 0, CPUID_REG_EDX, 16, 1},
- {"cet-ibt", 0x00000007, 0, CPUID_REG_EDX, 20, 1},
- {"ibrsb", 0x00000007, 0, CPUID_REG_EDX, 26, 1},
- {"stibp", 0x00000007, 0, CPUID_REG_EDX, 27, 1},
- {"l1d-flush", 0x00000007, 0, CPUID_REG_EDX, 28, 1},
- {"arch-caps", 0x00000007, 0, CPUID_REG_EDX, 29, 1},
- {"core-caps", 0x00000007, 0, CPUID_REG_EDX, 30, 1},
- {"ssbd", 0x00000007, 0, CPUID_REG_EDX, 31, 1},
-
- {"avx512-bf16", 0x00000007, 1, CPUID_REG_EAX, 5, 1},
-
- {"intel-psfd", 0x00000007, 2, CPUID_REG_EDX, 0, 1},
{"lahfsahf", 0x80000001, NA, CPUID_REG_ECX, 0, 1},
{"cmplegacy", 0x80000001, NA, CPUID_REG_ECX, 1, 1},
- {"svm", 0x80000001, NA, CPUID_REG_ECX, 2, 1},
- {"extapic", 0x80000001, NA, CPUID_REG_ECX, 3, 1},
{"altmovcr8", 0x80000001, NA, CPUID_REG_ECX, 4, 1},
- {"abm", 0x80000001, NA, CPUID_REG_ECX, 5, 1},
- {"sse4a", 0x80000001, NA, CPUID_REG_ECX, 6, 1},
- {"misalignsse", 0x80000001, NA, CPUID_REG_ECX, 7, 1},
- {"3dnowprefetch",0x80000001, NA, CPUID_REG_ECX, 8, 1},
- {"osvw", 0x80000001, NA, CPUID_REG_ECX, 9, 1},
- {"ibs", 0x80000001, NA, CPUID_REG_ECX, 10, 1},
- {"xop", 0x80000001, NA, CPUID_REG_ECX, 11, 1},
- {"skinit", 0x80000001, NA, CPUID_REG_ECX, 12, 1},
- {"wdt", 0x80000001, NA, CPUID_REG_ECX, 13, 1},
- {"lwp", 0x80000001, NA, CPUID_REG_ECX, 15, 1},
- {"fma4", 0x80000001, NA, CPUID_REG_ECX, 16, 1},
{"nodeid", 0x80000001, NA, CPUID_REG_ECX, 19, 1},
- {"tbm", 0x80000001, NA, CPUID_REG_ECX, 21, 1},
- {"topoext", 0x80000001, NA, CPUID_REG_ECX, 22, 1},
{"perfctr_core", 0x80000001, NA, CPUID_REG_ECX, 23, 1},
{"perfctr_nb", 0x80000001, NA, CPUID_REG_ECX, 24, 1},
- {"syscall", 0x80000001, NA, CPUID_REG_EDX, 11, 1},
- {"nx", 0x80000001, NA, CPUID_REG_EDX, 20, 1},
- {"mmxext", 0x80000001, NA, CPUID_REG_EDX, 22, 1},
- {"ffxsr", 0x80000001, NA, CPUID_REG_EDX, 25, 1},
- {"page1gb", 0x80000001, NA, CPUID_REG_EDX, 26, 1},
- {"rdtscp", 0x80000001, NA, CPUID_REG_EDX, 27, 1},
- {"lm", 0x80000001, NA, CPUID_REG_EDX, 29, 1},
- {"3dnowext", 0x80000001, NA, CPUID_REG_EDX, 30, 1},
- {"3dnow", 0x80000001, NA, CPUID_REG_EDX, 31, 1},
-
{"procpkg", 0x00000004, 0, CPUID_REG_EAX, 26, 6},
{"invtsc", 0x80000007, NA, CPUID_REG_EDX, 8, 1},
- {"clzero", 0x80000008, NA, CPUID_REG_EBX, 0, 1},
- {"rstr-fp-err-ptrs", 0x80000008, NA, CPUID_REG_EBX, 2, 1},
- {"wbnoinvd", 0x80000008, NA, CPUID_REG_EBX, 9, 1},
- {"ibpb", 0x80000008, NA, CPUID_REG_EBX, 12, 1},
- {"ibrs", 0x80000008, NA, CPUID_REG_EBX, 14, 1},
- {"amd-stibp", 0x80000008, NA, CPUID_REG_EBX, 15, 1},
- {"ibrs-always", 0x80000008, NA, CPUID_REG_EBX, 16, 1},
- {"stibp-always", 0x80000008, NA, CPUID_REG_EBX, 17, 1},
- {"ibrs-fast", 0x80000008, NA, CPUID_REG_EBX, 18, 1},
- {"ibrs-same-mode", 0x80000008, NA, CPUID_REG_EBX, 19, 1},
{"ppin", 0x80000008, NA, CPUID_REG_EBX, 23, 1},
- {"amd-ssbd", 0x80000008, NA, CPUID_REG_EBX, 24, 1},
- {"virt-ssbd", 0x80000008, NA, CPUID_REG_EBX, 25, 1},
- {"ssb-no", 0x80000008, NA, CPUID_REG_EBX, 26, 1},
- {"psfd", 0x80000008, NA, CPUID_REG_EBX, 28, 1},
{"btc-no", 0x80000008, NA, CPUID_REG_EBX, 29, 1},
- {"ibpb-ret", 0x80000008, NA, CPUID_REG_EBX, 30, 1},
{"nc", 0x80000008, NA, CPUID_REG_ECX, 0, 8},
{"apicidsize", 0x80000008, NA, CPUID_REG_ECX, 12, 4},
@@ -300,13 +298,62 @@
{NULL, 0, NA, CPUID_REG_INV, 0, 0}
};
+ static const struct feature_name features[] = INIT_FEATURE_NAMES;
+ /*
+ * NB: if we switch to using a cpu_policy derived object instead of a
+ * libxl_cpuid_policy_list we could get rid of the featureset -> cpuid leaf
+ * conversion table and use a featureset directly as we have conversions
+ * to/from featureset and cpu_policy.
+ */
+ static const struct {
+ enum { FEAT_CPUID, FEAT_MSR } type;
+ union {
+ struct {
+ uint32_t leaf, subleaf;
+ unsigned int reg;
+ } cpuid;
+ struct {
+ uint32_t index;
+ unsigned int reg;
+ } msr;
+ } u;
+ } feature_to_policy[] = {
+#define CPUID_ENTRY(l, s, r) \
+ { .type = FEAT_CPUID, \
+ .u = { .cpuid.leaf = l, .cpuid.subleaf = s, .cpuid.reg = r } \
+ }
+#define MSR_ENTRY(i, r) \
+ { .type = FEAT_MSR, \
+ .u = { .msr.index = i, .msr.reg = r } \
+ }
+ CPUID_ENTRY(0x00000001, NA, CPUID_REG_EDX),
+ CPUID_ENTRY(0x00000001, NA, CPUID_REG_ECX),
+ CPUID_ENTRY(0x80000001, NA, CPUID_REG_EDX),
+ CPUID_ENTRY(0x80000001, NA, CPUID_REG_ECX),
+ CPUID_ENTRY(0x0000000D, 1, CPUID_REG_EAX),
+ CPUID_ENTRY(0x00000007, 0, CPUID_REG_EBX),
+ CPUID_ENTRY(0x00000007, 0, CPUID_REG_ECX),
+ CPUID_ENTRY(0x80000007, NA, CPUID_REG_EDX),
+ CPUID_ENTRY(0x80000008, NA, CPUID_REG_EBX),
+ CPUID_ENTRY(0x00000007, 0, CPUID_REG_EDX),
+ CPUID_ENTRY(0x00000007, 1, CPUID_REG_EAX),
+ CPUID_ENTRY(0x80000021, NA, CPUID_REG_EAX),
+ CPUID_ENTRY(0x00000007, 1, CPUID_REG_EBX),
+ CPUID_ENTRY(0x00000007, 2, CPUID_REG_EDX),
+ CPUID_ENTRY(0x00000007, 1, CPUID_REG_ECX),
+ CPUID_ENTRY(0x00000007, 1, CPUID_REG_EDX),
+ MSR_ENTRY(0x10a, CPUID_REG_EAX),
+ MSR_ENTRY(0x10a, CPUID_REG_EDX),
+#undef MSR_ENTRY
+#undef CPUID_ENTRY
+ };
#undef NA
- char *sep, *val, *endptr;
- int i;
+ const char *sep, *val;
+ char *name;
const struct cpuid_flags *flag;
- struct xc_xend_cpuid *entry;
- unsigned long num;
- char flags[33], *resstr;
+ const struct feature_name *feat;
+
+ BUILD_BUG_ON(ARRAY_SIZE(feature_to_policy) != FEATURESET_NR_ENTRIES);
sep = strchr(str, '=');
if (sep == NULL) {
@@ -316,67 +363,56 @@
}
for (flag = cpuid_flags; flag->name != NULL; flag++) {
if(!strncmp(str, flag->name, sep - str) && flag->name[sep - str] == 0)
- break;
+ return cpuid_add(policy, flag, val);
}
- if (flag->name == NULL) {
+
+ /* Provide a NUL terminated feature name to the search helper. */
+ name = strndup(str, sep - str);
+ if (name == NULL)
+ return ERROR_NOMEM;
+
+ feat = bsearch(name, features, ARRAY_SIZE(features), sizeof(features[0]),
+ search_feature);
+ free(name);
+
+ if (feat == NULL)
return 2;
- }
- entry = cpuid_find_match(cpuid, flag->leaf, flag->subleaf);
- resstr = entry->policy[flag->reg - 1];
- num = strtoull(val, &endptr, 0);
- flags[flag->length] = 0;
- if (endptr != val) {
- /* if this was a valid number, write the binary form into the string */
- for (i = 0; i < flag->length; i++) {
- flags[flag->length - 1 - i] = "01"[!!(num & (1 << i))];
- }
- } else {
- switch(val[0]) {
- case 'x': case 'k': case 's':
- memset(flags, val[0], flag->length);
- break;
- default:
- return 3;
- }
- }
- if (resstr == NULL) {
- resstr = strdup("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+ switch (feature_to_policy[feat->bit / 32].type) {
+ case FEAT_CPUID:
+ {
+ struct cpuid_flags f;
+
+ f.name = feat->name;
+ f.leaf = feature_to_policy[feat->bit / 32].u.cpuid.leaf;
+ f.subleaf = feature_to_policy[feat->bit / 32].u.cpuid.subleaf;
+ f.reg = feature_to_policy[feat->bit / 32].u.cpuid.reg;
+ f.bit = feat->bit % 32;
+ f.length = 1;
+
+ return cpuid_add(policy, &f, val);
}
- /* the family and model entry is potentially split up across
- * two fields in Fn0000_0001_EAX, so handle them here separately.
- */
- if (!strncmp(str, "family", sep - str)) {
- if (num < 16) {
- memcpy(resstr + (32 - 4) - flag->bit, flags + 4, 4);
- memcpy(resstr + (32 - 8) - 20, "00000000", 8);
- } else {
- num -= 15;
- memcpy(resstr + (32 - 4) - flag->bit, "1111", 4);
- for (i = 0; i < 7; i++) {
- flags[7 - i] = "01"[num & 1];
- num >>= 1;
- }
- memcpy(resstr + (32 - 8) - 20, flags, 8);
- }
- } else if (!strncmp(str, "model", sep - str)) {
- memcpy(resstr + (32 - 4) - 16, flags, 4);
- memcpy(resstr + (32 - 4) - flag->bit, flags + 4, 4);
- } else {
- memcpy(resstr + (32 - flag->length) - flag->bit, flags,
- flag->length);
+ case FEAT_MSR:
+ {
+ unsigned int bit = feat->bit % 32;
+
+ if (feature_to_policy[feat->bit / 32].u.msr.reg == CPUID_REG_EDX)
+ bit += 32;
+
+ return msr_add(policy, feature_to_policy[feat->bit / 32].u.msr.index,
+ bit, val);
+ }
}
- entry->policy[flag->reg - 1] = resstr;
- return 0;
+ return 2;
}
/* parse a single list item from the legacy Python xend syntax, where
* the strings for each register were directly exposed to the user.
* Used for maintaining compatibility with older config files
*/
-int libxl_cpuid_parse_config_xend(libxl_cpuid_policy_list *cpuid,
+int libxl_cpuid_parse_config_xend(libxl_cpuid_policy_list *policy,
const char* str)
{
char *endptr;
@@ -403,7 +439,7 @@
return 3;
}
str = endptr + 1;
- entry = cpuid_find_match(cpuid, leaf, subleaf);
+ entry = cpuid_find_match(policy, leaf, subleaf);
for (str = endptr + 1; *str != 0;) {
if (str[0] != 'e' || str[2] != 'x') {
return 4;
@@ -432,10 +468,12 @@
return 0;
}
-void libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool restore,
- libxl_domain_build_info *info)
+int libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool restore,
+ libxl_domain_build_info *info)
{
+ GC_INIT(ctx);
bool pae = true;
+ int r;
/*
* For PV guests, PAE is Xen-controlled (it is the 'p' that differentiates
@@ -450,36 +488,59 @@
if (info->type == LIBXL_DOMAIN_TYPE_HVM)
pae = libxl_defbool_val(info->u.hvm.pae);
- xc_cpuid_apply_policy(ctx->xch, domid, restore, NULL, 0, pae, info->cpuid);
+ r = xc_cpuid_apply_policy(ctx->xch, domid, restore, NULL, 0,
+ pae,
+ info->cpuid ? info->cpuid->cpuid : NULL,
+ info->cpuid ? info->cpuid->msr : NULL);
+ if (r)
+ LOGEVD(ERROR, -r, domid, "Failed to apply CPUID policy");
+
+ GC_FREE;
+ return r ? ERROR_FAIL : 0;
}
static const char *input_names[2] = { "leaf", "subleaf" };
static const char *policy_names[4] = { "eax", "ebx", "ecx", "edx" };
/*
* Aiming for:
- * [
- * { 'leaf': 'val-eax',
- * 'subleaf': 'val-ecx',
- * 'eax': 'filter',
- * 'ebx': 'filter',
- * 'ecx': 'filter',
- * 'edx': 'filter' },
- * { 'leaf': 'val-eax', ..., 'eax': 'filter', ... },
- * ... etc ...
- * ]
+ * { 'cpuid': [
+ * { 'leaf': 'val-eax',
+ * 'subleaf': 'val-ecx',
+ * 'eax': 'filter',
+ * 'ebx': 'filter',
+ * 'ecx': 'filter',
+ * 'edx': 'filter' },
+ * { 'leaf': 'val-eax', ..., 'eax': 'filter', ... },
+ * ... etc ...
+ * ],
+ * 'msr': [
+ * { 'index': 'val-index',
+ * 'policy': 'filter', },
+ * ... etc ...
+ * ],
+ * }
*/
yajl_gen_status libxl_cpuid_policy_list_gen_json(yajl_gen hand,
- libxl_cpuid_policy_list *pcpuid)
+ libxl_cpuid_policy_list *pl)
{
- libxl_cpuid_policy_list cpuid = *pcpuid;
+ libxl_cpuid_policy_list policy = *pl;
+ struct xc_xend_cpuid *cpuid;
+ const struct xc_msr *msr;
yajl_gen_status s;
int i, j;
+ s = yajl_gen_map_open(hand);
+ if (s != yajl_gen_status_ok) goto out;
+
+ s = libxl__yajl_gen_asciiz(hand, "cpuid");
+ if (s != yajl_gen_status_ok) goto out;
+
s = yajl_gen_array_open(hand);
if (s != yajl_gen_status_ok) goto out;
- if (cpuid == NULL) goto empty;
+ if (policy == NULL || policy->cpuid == NULL) goto empty;
+ cpuid = policy->cpuid;
for (i = 0; cpuid[i].input[0] != XEN_CPUID_INPUT_UNUSED; i++) {
s = yajl_gen_map_open(hand);
@@ -509,6 +570,39 @@
empty:
s = yajl_gen_array_close(hand);
+ if (s != yajl_gen_status_ok) goto out;
+
+ s = libxl__yajl_gen_asciiz(hand, "msr");
+ if (s != yajl_gen_status_ok) goto out;
+
+ s = yajl_gen_array_open(hand);
+ if (s != yajl_gen_status_ok) goto out;
+
+ if (!policy || !policy->msr) goto done;
+ msr = policy->msr;
+
+ for (i = 0; msr[i].index != XC_MSR_INPUT_UNUSED; i++) {
+ s = yajl_gen_map_open(hand);
+ if (s != yajl_gen_status_ok) goto out;
+
+ s = libxl__yajl_gen_asciiz(hand, "index");
+ if (s != yajl_gen_status_ok) goto out;
+ s = yajl_gen_integer(hand, msr[i].index);
+ if (s != yajl_gen_status_ok) goto out;
+ s = libxl__yajl_gen_asciiz(hand, "policy");
+ if (s != yajl_gen_status_ok) goto out;
+ s = yajl_gen_string(hand,
+ (const unsigned char *)msr[i].policy, 64);
+ if (s != yajl_gen_status_ok) goto out;
+
+ s = yajl_gen_map_close(hand);
+ if (s != yajl_gen_status_ok) goto out;
+ }
+
+done:
+ s = yajl_gen_array_close(hand);
+ if (s != yajl_gen_status_ok) goto out;
+ s = yajl_gen_map_close(hand);
out:
return s;
}
@@ -518,19 +612,44 @@
libxl_cpuid_policy_list *p)
{
int i, size;
- libxl_cpuid_policy_list l;
+ struct xc_xend_cpuid *l;
+ struct xc_msr *msr;
+ const libxl__json_object *co;
flexarray_t *array;
+ bool cpuid_only = false;
+
+ /*
+ * Old JSON field was an array with just the CPUID data. With the addition
+ * of MSRs the object is now a map with two array fields.
+ *
+ * Use the object format to detect whether the passed data contains just
+ * CPUID leafs and thus is an array, or does also contain MSRs and is a
+ * map.
+ */
+ if (libxl__json_object_is_array(o)) {
+ co = o;
+ cpuid_only = true;
+ goto parse_cpuid;
+ }
- if (!libxl__json_object_is_array(o))
+ if (!libxl__json_object_is_map(o))
return ERROR_FAIL;
- array = libxl__json_object_get_array(o);
+ co = libxl__json_map_get("cpuid", o, JSON_ARRAY);
+ if (!libxl__json_object_is_array(co))
+ return ERROR_FAIL;
+
+parse_cpuid:
+ *p = libxl__calloc(NOGC, 1, sizeof(**p));
+
+ array = libxl__json_object_get_array(co);
if (!array->count)
- return 0;
+ goto cpuid_empty;
size = array->count;
/* need one extra slot as sentinel */
- l = *p = libxl__calloc(NOGC, size + 1, sizeof(libxl_cpuid_policy));
+ l = (*p)->cpuid = libxl__calloc(NOGC, size + 1,
+ sizeof(struct xc_xend_cpuid));
l[size].input[0] = XEN_CPUID_INPUT_UNUSED;
l[size].input[1] = XEN_CPUID_INPUT_UNUSED;
@@ -566,6 +685,42 @@
libxl__strdup(NOGC, libxl__json_object_get_string(r));
}
}
+ if (cpuid_only)
+ return 0;
+
+cpuid_empty:
+ co = libxl__json_map_get("msr", o, JSON_ARRAY);
+ if (!libxl__json_object_is_array(co))
+ return ERROR_FAIL;
+
+ array = libxl__json_object_get_array(co);
+ if (!array->count)
+ return 0;
+ size = array->count;
+ /* need one extra slot as sentinel */
+ msr = (*p)->msr = libxl__calloc(NOGC, size + 1, sizeof(struct xc_msr));
+
+ msr[size].index = XC_MSR_INPUT_UNUSED;
+
+ for (i = 0; i < size; i++) {
+ const libxl__json_object *t, *r;
+
+ if (flexarray_get(array, i, (void**)&t) != 0)
+ return ERROR_FAIL;
+
+ if (!libxl__json_object_is_map(t))
+ return ERROR_FAIL;
+
+ r = libxl__json_map_get("index", t, JSON_INTEGER);
+ if (!r) return ERROR_FAIL;
+ msr[i].index = libxl__json_object_get_integer(r);
+ r = libxl__json_map_get("policy", t, JSON_STRING);
+ if (!r) return ERROR_FAIL;
+ if (strlen(libxl__json_object_get_string(r)) !=
+ ARRAY_SIZE(msr[i].policy) - 1)
+ return ERROR_FAIL;
+ strcpy(msr[i].policy, libxl__json_object_get_string(r));
+ }
return 0;
}
@@ -573,8 +728,12 @@
int libxl_cpuid_policy_list_length(const libxl_cpuid_policy_list *pl)
{
int i = 0;
- libxl_cpuid_policy_list l = *pl;
+ const struct xc_xend_cpuid *l;
+
+ if (*pl == NULL)
+ return 0;
+ l = (*pl)->cpuid;
if (l) {
while (l[i].input[0] != XEN_CPUID_INPUT_UNUSED)
i++;
@@ -584,20 +743,29 @@
}
void libxl_cpuid_policy_list_copy(libxl_ctx *ctx,
- libxl_cpuid_policy_list *dst,
- const libxl_cpuid_policy_list *src)
+ libxl_cpuid_policy_list *pdst,
+ const libxl_cpuid_policy_list *psrc)
{
+ struct xc_xend_cpuid **dst;
+ struct xc_xend_cpuid *const *src;
GC_INIT(ctx);
int i, j, len;
- if (*src == NULL) {
- *dst = NULL;
+ if (*psrc == NULL) {
+ *pdst = NULL;
goto out;
}
- len = libxl_cpuid_policy_list_length(src);
+ *pdst = libxl__calloc(NOGC, 1, sizeof(**pdst));
+
+ if (!(*psrc)->cpuid)
+ goto copy_msr;
+
+ dst = &(*pdst)->cpuid;
+ src = &(*psrc)->cpuid;
+ len = libxl_cpuid_policy_list_length(psrc);
/* one extra slot for sentinel */
- *dst = libxl__calloc(NOGC, len + 1, sizeof(libxl_cpuid_policy));
+ *dst = libxl__calloc(NOGC, len + 1, sizeof(struct xc_xend_cpuid));
(*dst)[len].input[0] = XEN_CPUID_INPUT_UNUSED;
(*dst)[len].input[1] = XEN_CPUID_INPUT_UNUSED;
@@ -612,6 +780,22 @@
(*dst)[i].policy[j] = NULL;
}
+copy_msr:
+ if ((*psrc)->msr) {
+ const struct xc_msr *msr = (*psrc)->msr;
+
+ for (i = 0; msr[i].index != XC_MSR_INPUT_UNUSED; i++)
+ ;
+ len = i;
+ (*pdst)->msr = libxl__calloc(NOGC, len + 1, sizeof(struct xc_msr));
+ (*pdst)->msr[len].index = XC_MSR_INPUT_UNUSED;
+
+ for (i = 0; i < len; i++) {
+ (*pdst)->msr[i].index = msr[i].index;
+ strcpy((*pdst)->msr[i].policy, msr[i].policy);
+ }
+ }
+
out:
GC_FREE;
}
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_create.c xen-4.14.6/tools/libxl/libxl_create.c
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_create.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_create.c 2023-08-07 14:11:14.000000000 +0200
@@ -1438,6 +1438,7 @@
libxl_domain_config *d_config = dcs->guest_config;
libxl_domain_build_info *info = &d_config->b_info;
+ int rc = 0;
/*
* CPUID/MSR information is not present in pre Xen-4.14 streams.
@@ -1447,9 +1448,9 @@
* stream doesn't contain any CPUID data.
*/
if (missing & XGR_SDD_MISSING_CPUID)
- libxl__cpuid_legacy(ctx, dcs->guest_domid, true, info);
+ rc = libxl__cpuid_legacy(ctx, dcs->guest_domid, true, info);
- return 0;
+ return rc;
}
void libxl__srm_callout_callback_restore_results(xen_pfn_t store_mfn,
@@ -2141,6 +2142,8 @@
aop_console_how);
cdcs->domid_out = &domid_out;
+ state->soft_reset = true;
+
dom_path = libxl__xs_get_dompath(gc, domid);
if (!dom_path) {
LOGD(ERROR, domid, "failed to read domain path");
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_dom.c xen-4.14.6/tools/libxl/libxl_dom.c
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_dom.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_dom.c 2023-08-07 14:11:14.000000000 +0200
@@ -386,13 +386,15 @@
state->console_port = xc_evtchn_alloc_unbound(ctx->xch, domid, state->console_domid);
rc = libxl__arch_domain_create(gc, d_config, domid);
+ if (rc) goto out;
/* Construct a CPUID policy, but only for brand new domains. Domains
* being migrated-in/restored have CPUID handled during the
* static_data_done() callback. */
- if (!state->restore)
- libxl__cpuid_legacy(ctx, domid, false, info);
+ if (!state->restore && !state->soft_reset)
+ rc = libxl__cpuid_legacy(ctx, domid, false, info);
+out:
return rc;
}
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl.h xen-4.14.6/tools/libxl/libxl.h
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl.h 2023-08-07 14:11:14.000000000 +0200
@@ -1310,12 +1310,8 @@
void libxl_bitmap_init(libxl_bitmap *map);
void libxl_bitmap_dispose(libxl_bitmap *map);
-/*
- * libxl_cpuid_policy is opaque in the libxl ABI. Users of both libxl and
- * libxc may not make assumptions about xc_xend_cpuid.
- */
-typedef struct xc_xend_cpuid libxl_cpuid_policy;
-typedef libxl_cpuid_policy * libxl_cpuid_policy_list;
+struct libxl__cpu_policy;
+typedef struct libxl__cpu_policy *libxl_cpuid_policy_list;
void libxl_cpuid_dispose(libxl_cpuid_policy_list *cpuid_list);
int libxl_cpuid_policy_list_length(const libxl_cpuid_policy_list *l);
void libxl_cpuid_policy_list_copy(libxl_ctx *ctx,
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_internal.h xen-4.14.6/tools/libxl/libxl_internal.h
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_internal.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_internal.h 2023-08-07 14:11:14.000000000 +0200
@@ -1403,6 +1403,7 @@
/* Whether this domain is being migrated/restored, or booting fresh. Only
* applicable to the primary domain, not support domains (e.g. stub QEMU). */
bool restore;
+ bool soft_reset;
} libxl__domain_build_state;
_hidden void libxl__domain_build_state_init(libxl__domain_build_state *s);
@@ -2056,8 +2057,8 @@
_hidden char *libxl__object_to_json(libxl_ctx *ctx, const char *type,
libxl__gen_json_callback gen, void *p);
-_hidden void libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool retore,
- libxl_domain_build_info *info);
+_hidden int libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool retore,
+ libxl_domain_build_info *info);
/* Calls poll() again - useful to check whether a signaled condition
* is still true. Cannot fail. Returns currently-true revents. */
@@ -4837,6 +4838,11 @@
/* Check whether a domid is recent */
int libxl__is_domid_recent(libxl__gc *gc, uint32_t domid, bool *recent);
+struct libxl__cpu_policy {
+ struct xc_xend_cpuid *cpuid;
+ struct xc_msr *msr;
+};
+
#endif
/*
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_nocpuid.c xen-4.14.6/tools/libxl/libxl_nocpuid.c
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_nocpuid.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_nocpuid.c 2023-08-07 14:11:14.000000000 +0200
@@ -34,9 +34,10 @@
return 0;
}
-void libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool restore,
- libxl_domain_build_info *info)
+int libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, bool restore,
+ libxl_domain_build_info *info)
{
+ return 0;
}
yajl_gen_status libxl_cpuid_policy_list_gen_json(yajl_gen hand,
diff -Nru xen-4.14.5+94-ge49571868d/tools/libxl/libxl_types.idl xen-4.14.6/tools/libxl/libxl_types.idl
--- xen-4.14.5+94-ge49571868d/tools/libxl/libxl_types.idl 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/libxl/libxl_types.idl 2023-08-07 14:11:14.000000000 +0200
@@ -19,7 +19,7 @@
libxl_bitmap = Builtin("bitmap", json_parse_type="JSON_ARRAY", dispose_fn="libxl_bitmap_dispose", passby=PASS_BY_REFERENCE,
check_default_fn="libxl_bitmap_is_empty", copy_fn="libxl_bitmap_copy_alloc")
libxl_cpuid_policy_list = Builtin("cpuid_policy_list", dispose_fn="libxl_cpuid_dispose", passby=PASS_BY_REFERENCE,
- json_parse_type="JSON_ARRAY", check_default_fn="libxl__cpuid_policy_is_empty",
+ json_parse_type="JSON_ANY", check_default_fn="libxl__cpuid_policy_is_empty",
copy_fn="libxl_cpuid_policy_list_copy")
libxl_string_list = Builtin("string_list", dispose_fn="libxl_string_list_dispose", passby=PASS_BY_REFERENCE,
diff -Nru xen-4.14.5+94-ge49571868d/tools/misc/xen-cpuid.c xen-4.14.6/tools/misc/xen-cpuid.c
--- xen-4.14.5+94-ge49571868d/tools/misc/xen-cpuid.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/misc/xen-cpuid.c 2023-08-07 14:11:14.000000000 +0200
@@ -187,51 +187,85 @@
static const char *const str_e21a[32] =
{
[ 2] = "lfence+",
+
+ /* 26 */ [27] = "sbpb",
+ [28] = "ibpb-brtype", [29] = "srso-no",
};
static const char *const str_7b1[32] =
{
};
+static const char *const str_7c1[32] =
+{
+};
+
+static const char *const str_7d1[32] =
+{
+};
+
static const char *const str_7d2[32] =
{
[ 0] = "intel-psfd",
};
+static const char *const str_m10Al[32] =
+{
+ [ 0] = "rdcl-no", [ 1] = "eibrs",
+ [ 2] = "rsba", [ 3] = "skip-l1dfl",
+ [ 4] = "intel-ssb-no", [ 5] = "mds-no",
+ [ 6] = "if-pschange-mc-no", [ 7] = "tsx-ctrl",
+ [ 8] = "taa-no", [ 9] = "mcu-ctrl",
+ [10] = "misc-pkg-ctrl", [11] = "energy-ctrl",
+ [12] = "doitm", [13] = "sbdr-ssdp-no",
+ [14] = "fbsdp-no", [15] = "psdp-no",
+ /* 16 */ [17] = "fb-clear",
+ [18] = "fb-clear-ctrl", [19] = "rrsba",
+ [20] = "bhi-no", [21] = "xapic-status",
+ /* 22 */ [23] = "ovrclk-status",
+ [24] = "pbrsb-no", [25] = "gds-ctrl",
+ [26] = "gds-no",
+};
+
+static const char *const str_m10Ah[32] =
+{
+};
+
static const struct {
const char *name;
const char *abbr;
const char *const *strs;
} decodes[] =
{
- { "0x00000001.edx", "1d", str_1d },
- { "0x00000001.ecx", "1c", str_1c },
- { "0x80000001.edx", "e1d", str_e1d },
- { "0x80000001.ecx", "e1c", str_e1c },
- { "0x0000000d:1.eax", "Da1", str_Da1 },
- { "0x00000007:0.ebx", "7b0", str_7b0 },
- { "0x00000007:0.ecx", "7c0", str_7c0 },
- { "0x80000007.edx", "e7d", str_e7d },
- { "0x80000008.ebx", "e8b", str_e8b },
- { "0x00000007:0.edx", "7d0", str_7d0 },
- { "0x00000007:1.eax", "7a1", str_7a1 },
- { "0x80000021.eax", "e21a", str_e21a },
- { "0x00000007:1.ebx", "7b1", str_7b1 },
- { "0x00000007:2.edx", "7d2", str_7d2 },
+ { "CPUID 0x00000001.edx", "1d", str_1d },
+ { "CPUID 0x00000001.ecx", "1c", str_1c },
+ { "CPUID 0x80000001.edx", "e1d", str_e1d },
+ { "CPUID 0x80000001.ecx", "e1c", str_e1c },
+ { "CPUID 0x0000000d:1.eax", "Da1", str_Da1 },
+ { "CPUID 0x00000007:0.ebx", "7b0", str_7b0 },
+ { "CPUID 0x00000007:0.ecx", "7c0", str_7c0 },
+ { "CPUID 0x80000007.edx", "e7d", str_e7d },
+ { "CPUID 0x80000008.ebx", "e8b", str_e8b },
+ { "CPUID 0x00000007:0.edx", "7d0", str_7d0 },
+ { "CPUID 0x00000007:1.eax", "7a1", str_7a1 },
+ { "CPUID 0x80000021.eax", "e21a", str_e21a },
+ { "CPUID 0x00000007:1.ebx", "7b1", str_7b1 },
+ { "CPUID 0x00000007:2.edx", "7d2", str_7d2 },
+ { "CPUID 0x00000007:1.ecx", "7c1", str_7c1 },
+ { "CPUID 0x00000007:1.edx", "7d1", str_7d1 },
+ { "MSR_ARCH_CAPS.lo", "m10Al", str_m10Al },
+ { "MSR_ARCH_CAPS.hi", "m10Ah", str_m10Ah },
};
-#define COL_ALIGN "18"
+#define COL_ALIGN "24"
-static struct fsinfo {
- const char *name;
- uint32_t len;
- uint32_t *fs;
-} featuresets[] =
-{
- [XEN_SYSCTL_cpu_featureset_host] = { "Host", 0, NULL },
- [XEN_SYSCTL_cpu_featureset_raw] = { "Raw", 0, NULL },
- [XEN_SYSCTL_cpu_featureset_pv] = { "PV", 0, NULL },
- [XEN_SYSCTL_cpu_featureset_hvm] = { "HVM", 0, NULL },
+static const char *const fs_names[] = {
+ [XEN_SYSCTL_cpu_featureset_raw] = "Raw",
+ [XEN_SYSCTL_cpu_featureset_host] = "Host",
+ [XEN_SYSCTL_cpu_featureset_pv] = "PV Default",
+ [XEN_SYSCTL_cpu_featureset_hvm] = "HVM Default",
+ [XEN_SYSCTL_cpu_featureset_pv_max] = "PV Max",
+ [XEN_SYSCTL_cpu_featureset_hvm_max] = "HVM Max",
};
static void dump_leaf(uint32_t leaf, const char *const *strs)
@@ -278,22 +312,10 @@
}
}
-static int get_featureset(xc_interface *xch, unsigned int idx)
-{
- struct fsinfo *f = &featuresets[idx];
-
- f->len = nr_features;
- f->fs = calloc(nr_features, sizeof(*f->fs));
-
- if ( !f->fs )
- err(1, "calloc(, featureset)");
-
- return xc_get_cpu_featureset(xch, idx, &f->len, f->fs);
-}
-
static void dump_info(xc_interface *xch, bool detail)
{
unsigned int i;
+ uint32_t *fs;
printf("nr_features: %u\n", nr_features);
@@ -324,26 +346,34 @@
nr_features, "HVM Hap Default", detail);
printf("\nDynamic sets:\n");
- for ( i = 0; i < ARRAY_SIZE(featuresets); ++i )
+
+ fs = malloc(sizeof(*fs) * nr_features);
+ if ( !fs )
+ err(1, "malloc(featureset)");
+
+ for ( i = 0; i < ARRAY_SIZE(fs_names); ++i )
{
- if ( get_featureset(xch, i) )
+ uint32_t len = nr_features;
+ int ret;
+
+ memset(fs, 0, sizeof(*fs) * nr_features);
+
+ ret = xc_get_cpu_featureset(xch, i, &len, fs);
+ if ( ret )
{
if ( errno == EOPNOTSUPP )
{
- printf("%s featureset not supported by Xen\n",
- featuresets[i].name);
+ printf("%s featureset not supported by Xen\n", fs_names[i]);
continue;
}
err(1, "xc_get_featureset()");
}
- decode_featureset(featuresets[i].fs, featuresets[i].len,
- featuresets[i].name, detail);
+ decode_featureset(fs, len, fs_names[i], detail);
}
- for ( i = 0; i < ARRAY_SIZE(featuresets); ++i )
- free(featuresets[i].fs);
+ free(fs);
}
static void print_policy(const char *name,
diff -Nru xen-4.14.5+94-ge49571868d/tools/ocaml/libs/xc/xenctrl.ml xen-4.14.6/tools/ocaml/libs/xc/xenctrl.ml
--- xen-4.14.5+94-ge49571868d/tools/ocaml/libs/xc/xenctrl.ml 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/ocaml/libs/xc/xenctrl.ml 2023-08-07 14:11:14.000000000 +0200
@@ -274,7 +274,13 @@
external version_capabilities: handle -> string =
"stub_xc_version_capabilities"
-type featureset_index = Featureset_raw | Featureset_host | Featureset_pv | Featureset_hvm
+type featureset_index =
+ | Featureset_raw
+ | Featureset_host
+ | Featureset_pv
+ | Featureset_hvm
+ | Featureset_pv_max
+ | Featureset_hvm_max
external get_cpu_featureset : handle -> featureset_index -> int64 array = "stub_xc_get_cpu_featureset"
external watchdog : handle -> int -> int32 -> int
diff -Nru xen-4.14.5+94-ge49571868d/tools/ocaml/libs/xc/xenctrl.mli xen-4.14.6/tools/ocaml/libs/xc/xenctrl.mli
--- xen-4.14.5+94-ge49571868d/tools/ocaml/libs/xc/xenctrl.mli 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/ocaml/libs/xc/xenctrl.mli 2023-08-07 14:11:14.000000000 +0200
@@ -212,7 +212,13 @@
external version_capabilities : handle -> string
= "stub_xc_version_capabilities"
-type featureset_index = Featureset_raw | Featureset_host | Featureset_pv | Featureset_hvm
+type featureset_index =
+ | Featureset_raw
+ | Featureset_host
+ | Featureset_pv
+ | Featureset_hvm
+ | Featureset_pv_max
+ | Featureset_hvm_max
external get_cpu_featureset : handle -> featureset_index -> int64 array = "stub_xc_get_cpu_featureset"
external pages_to_kib : int64 -> int64 = "stub_pages_to_kib"
diff -Nru xen-4.14.5+94-ge49571868d/tools/Rules.mk xen-4.14.6/tools/Rules.mk
--- xen-4.14.5+94-ge49571868d/tools/Rules.mk 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/Rules.mk 2023-08-07 14:11:14.000000000 +0200
@@ -6,6 +6,11 @@
-include $(XEN_ROOT)/config/Tools.mk
include $(XEN_ROOT)/Config.mk
+XEN_FULLVERSION=$(shell env \
+ XEN_EXTRAVERSION=$(XEN_EXTRAVERSION) \
+ XEN_VENDORVERSION=$(XEN_VENDORVERSION) \
+ $(SHELL) $(XEN_ROOT)/version.sh --full $(XEN_ROOT)/xen/Makefile)
+
export _INSTALL := $(INSTALL)
INSTALL = $(XEN_ROOT)/tools/cross-install
diff -Nru xen-4.14.5+94-ge49571868d/tools/tests/cpu-policy/test-cpu-policy.c xen-4.14.6/tools/tests/cpu-policy/test-cpu-policy.c
--- xen-4.14.5+94-ge49571868d/tools/tests/cpu-policy/test-cpu-policy.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/tests/cpu-policy/test-cpu-policy.c 2023-08-07 14:11:14.000000000 +0200
@@ -88,14 +88,14 @@
static void test_cpuid_current(void)
{
- struct cpuid_policy p;
+ struct cpu_policy p;
xen_cpuid_leaf_t leaves[CPUID_MAX_SERIALISED_LEAVES];
unsigned int nr = ARRAY_SIZE(leaves);
int rc;
printf("Testing CPUID on current CPU\n");
- x86_cpuid_policy_fill_native(&p);
+ x86_cpu_policy_fill_native(&p);
rc = x86_cpuid_copy_to_buffer(&p, leaves, &nr);
if ( rc != 0 )
@@ -108,7 +108,7 @@
static void test_cpuid_serialise_success(void)
{
static const struct test {
- struct cpuid_policy p;
+ struct cpu_policy p;
const char *name;
unsigned int nr_leaves;
} tests[] = {
@@ -232,7 +232,7 @@
static void test_msr_serialise_success(void)
{
static const struct test {
- struct msr_policy p;
+ struct cpu_policy p;
const char *name;
unsigned int nr_msrs;
} tests[] = {
@@ -374,11 +374,6 @@
.msr = { .idx = 0xce, .val = ~0ull },
.rc = -EOVERFLOW,
},
- {
- .name = "truncated val",
- .msr = { .idx = 0x10a, .val = ~0ull },
- .rc = -EOVERFLOW,
- },
};
printf("Testing MSR deserialise failure:\n");
@@ -413,7 +408,7 @@
static const struct test {
const char *name;
unsigned int nr_markers;
- struct cpuid_policy p;
+ struct cpu_policy p;
} tests[] = {
{
.name = "basic",
@@ -533,11 +528,11 @@
for ( size_t i = 0; i < ARRAY_SIZE(tests); ++i )
{
const struct test *t = &tests[i];
- struct cpuid_policy *p = memdup(&t->p);
+ struct cpu_policy *p = memdup(&t->p);
void *ptr;
unsigned int nr_markers;
- x86_cpuid_policy_clear_out_of_range_leaves(p);
+ x86_cpu_policy_clear_out_of_range_leaves(p);
/* Count the number of 0xc2's still remaining. */
for ( ptr = p, nr_markers = 0;
@@ -557,23 +552,20 @@
{
static struct test {
const char *name;
- struct cpuid_policy host_cpuid;
- struct cpuid_policy guest_cpuid;
- struct msr_policy host_msr;
- struct msr_policy guest_msr;
+ struct cpu_policy host, guest;
} tests[] = {
{
.name = "Host CPUID faulting, Guest not",
- .host_msr = {
+ .host = {
.platform_info.cpuid_faulting = true,
},
},
{
.name = "Host CPUID faulting, Guest wanted",
- .host_msr = {
+ .host = {
.platform_info.cpuid_faulting = true,
},
- .guest_msr = {
+ .guest = {
.platform_info.cpuid_faulting = true,
},
},
@@ -585,15 +577,8 @@
for ( size_t i = 0; i < ARRAY_SIZE(tests); ++i )
{
struct test *t = &tests[i];
- struct cpu_policy sys = {
- &t->host_cpuid,
- &t->host_msr,
- }, new = {
- &t->guest_cpuid,
- &t->guest_msr,
- };
struct cpu_policy_errors e;
- int res = x86_cpu_policies_are_compatible(&sys, &new, &e);
+ int res = x86_cpu_policies_are_compatible(&t->host, &t->guest, &e);
/* Check the expected error output. */
if ( res != 0 || memcmp(&no_errors, &e, sizeof(no_errors)) )
@@ -607,25 +592,22 @@
{
static struct test {
const char *name;
- struct cpuid_policy host_cpuid;
- struct cpuid_policy guest_cpuid;
- struct msr_policy host_msr;
- struct msr_policy guest_msr;
+ struct cpu_policy host, guest;
struct cpu_policy_errors e;
} tests[] = {
{
.name = "Host basic.max_leaf out of range",
- .guest_cpuid.basic.max_leaf = 1,
+ .guest.basic.max_leaf = 1,
.e = { 0, -1, -1 },
},
{
.name = "Host extd.max_leaf out of range",
- .guest_cpuid.extd.max_leaf = 1,
+ .guest.extd.max_leaf = 1,
.e = { 0x80000000, -1, -1 },
},
{
.name = "Host no CPUID faulting, Guest wanted",
- .guest_msr = {
+ .guest = {
.platform_info.cpuid_faulting = true,
},
.e = { -1, -1, 0xce },
@@ -637,15 +619,8 @@
for ( size_t i = 0; i < ARRAY_SIZE(tests); ++i )
{
struct test *t = &tests[i];
- struct cpu_policy sys = {
- &t->host_cpuid,
- &t->host_msr,
- }, new = {
- &t->guest_cpuid,
- &t->guest_msr,
- };
struct cpu_policy_errors e;
- int res = x86_cpu_policies_are_compatible(&sys, &new, &e);
+ int res = x86_cpu_policies_are_compatible(&t->host, &t->guest, &e);
/* Check the expected error output. */
if ( res == 0 || memcmp(&t->e, &e, sizeof(t->e)) )
diff -Nru xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/Makefile xen-4.14.6/tools/tests/x86_emulator/Makefile
--- xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/Makefile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/tests/x86_emulator/Makefile 2023-08-07 14:11:14.000000000 +0200
@@ -286,7 +286,7 @@
x86.h := $(addprefix $(XEN_ROOT)/tools/include/xen/asm/,\
x86-vendors.h x86-defns.h msr-index.h) \
$(addprefix $(XEN_ROOT)/tools/include/xen/lib/x86/, \
- cpuid.h cpuid-autogen.h)
+ cpu-policy.h cpuid-autogen.h)
x86_emulate.h := x86-emulate.h x86_emulate/x86_emulate.h $(x86.h)
x86-emulate.o cpuid.o test_x86_emulator.o evex-disp8.o predicates.o wrappers.o: %.o: %.c $(x86_emulate.h)
diff -Nru xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/test_x86_emulator.c xen-4.14.6/tools/tests/x86_emulator/test_x86_emulator.c
--- xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/test_x86_emulator.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/tests/x86_emulator/test_x86_emulator.c 2023-08-07 14:11:14.000000000 +0200
@@ -885,7 +885,7 @@
ctxt.regs = ®s;
ctxt.force_writeback = 0;
- ctxt.cpuid = &cp;
+ ctxt.cpu_policy = &cp;
ctxt.lma = sizeof(void *) == 8;
ctxt.addr_size = 8 * sizeof(void *);
ctxt.sp_size = 8 * sizeof(void *);
diff -Nru xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/x86-emulate.c xen-4.14.6/tools/tests/x86_emulator/x86-emulate.c
--- xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/x86-emulate.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/tests/x86_emulator/x86-emulate.c 2023-08-07 14:11:14.000000000 +0200
@@ -38,7 +38,7 @@
#define put_stub(stb) ((stb).addr = 0)
uint32_t mxcsr_mask = 0x0000ffbf;
-struct cpuid_policy cp;
+struct cpu_policy cp;
static char fpu_save_area[4096] __attribute__((__aligned__((64))));
static bool use_xsave;
@@ -85,7 +85,7 @@
unsigned long sp;
- x86_cpuid_policy_fill_native(&cp);
+ x86_cpu_policy_fill_native(&cp);
/*
* The emulator doesn't use these instructions, so can always emulate
diff -Nru xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/x86-emulate.h xen-4.14.6/tools/tests/x86_emulator/x86-emulate.h
--- xen-4.14.5+94-ge49571868d/tools/tests/x86_emulator/x86-emulate.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/tests/x86_emulator/x86-emulate.h 2023-08-07 14:11:14.000000000 +0200
@@ -68,7 +68,7 @@
#define is_canonical_address(x) (((int64_t)(x) >> 47) == ((int64_t)(x) >> 63))
extern uint32_t mxcsr_mask;
-extern struct cpuid_policy cp;
+extern struct cpu_policy cp;
#define MMAP_SZ 16384
bool emul_test_init(void);
diff -Nru xen-4.14.5+94-ge49571868d/tools/xl/xl_parse.c xen-4.14.6/tools/xl/xl_parse.c
--- xen-4.14.5+94-ge49571868d/tools/xl/xl_parse.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/tools/xl/xl_parse.c 2023-08-07 14:11:14.000000000 +0200
@@ -2465,6 +2465,9 @@
case 3:
errstr = "illegal CPUID value (must be: [0|1|x|k|s])";
break;
+ case ERROR_NOMEM:
+ errstr = "out of memory";
+ break;
default:
errstr = "unknown error";
break;
diff -Nru xen-4.14.5+94-ge49571868d/.travis.yml xen-4.14.6/.travis.yml
--- xen-4.14.5+94-ge49571868d/.travis.yml 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/.travis.yml 1970-01-01 01:00:00.000000000 +0100
@@ -1,88 +0,0 @@
-language: c
-dist: trusty
-sudo: required
-# don't test master, smoke and coverity branches
-branches:
- except:
- - master
- - smoke
- - /^coverity-tested\/.*/
- - /^stable-.*/
-matrix:
- include:
- - compiler: gcc
- env: XEN_TARGET_ARCH=x86_64 debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=x86_64 XEN_CONFIG_EXPERT=y RANDCONFIG=y debug=n
- - compiler: gcc-5
- env: XEN_TARGET_ARCH=x86_64 debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=x86_64 debug=y
- - compiler: gcc-5
- env: XEN_TARGET_ARCH=x86_64 debug=y
- - compiler: clang
- env: XEN_TARGET_ARCH=x86_64 clang=y debug=n
- - compiler: clang
- env: XEN_TARGET_ARCH=x86_64 clang=y debug=y
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm32 CROSS_COMPILE=arm-linux-gnueabihf- debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm32 CROSS_COMPILE=arm-linux-gnueabihf- XEN_CONFIG_EXPERT=y RANDCONFIG=y debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm32 CROSS_COMPILE=arm-linux-gnueabihf- debug=y
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- XEN_CONFIG_EXPERT=y RANDCONFIG=y debug=n
- - compiler: gcc
- env: XEN_TARGET_ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- debug=y
-addons:
- apt:
- sources:
- - ubuntu-toolchain-r-test
- packages:
- - zlib1g-dev
- - libncurses5-dev
- - libssl-dev
- - python-dev
- - xorg-dev
- - uuid-dev
- - libyajl-dev
- - libaio-dev
- - libglib2.0-dev
- - libpixman-1-dev
- - pkg-config
- - flex
- - bison
- - gettext
- - acpica-tools
- - bin86
- - bcc
- - libc6-dev-i386
- - libnl-3-dev
- - ocaml-nox
- - libfindlib-ocaml-dev
- - transfig
- - pandoc
- - gcc-arm-linux-gnueabihf
- - gcc-aarch64-linux-gnu
- - gcc-5
- - g++-5
- - seabios
- - checkpolicy
- - ghostscript
-# we must set CXX manually instead of using 'language: cpp' due to
-# travis-ci/travis-ci#3871
-before_script:
- - export CXX=${CC/cc/++}
- - export CXX=${CXX/clang/clang++}
-script:
- - ./scripts/travis-build
-after_script:
- - cat xen/.config
- - cat tools/config.log
- - cat docs/config.log
-notifications:
- irc:
- channels:
- - secure: "mPIFllF6eW3F3talvccMy55Tfcid66IPkkXZYCxDKRF2DQrMyvmg4qt0xN6gGZsdfOBMNr+/YfO5PxusBCUkVdBGBzd3QhFoIDYZbJZgzVh3yNDQ+x4L7p1cZNrwJ2loMmSX6KxGKZxZX9NRStrTUkVyp0jGZB9xkwT8Rl6jXj7EQkgQ95K1Wqafx0ycLfyDQmzX9bzi/3KIBFKMGmK18AFMh+R30zK0FPUUsS4+VhepIkVqO5puU3OYePd34wRnWlt7hjU2Vj5vYmVXp3UOE+E8/Lf9IGVAhitDi+EC35b8zo2BHJ9z6xZARYPvfSqbXcXV20RycabI+e3ufZJ40eatssly5QjWH+HhKS42C4gV1psmQhkTCNCM62Ty5uf6R1hsZJQuiOZrc8ojdje8ey2MxJk4R+Xz+Igg1/kD6+WX9/Y6Y3iRuj5HL1xCYfpTbK4mC7ofw0SofW2aAGI68jHpCqJdQCDzMl6748PlDMM0eKe0MPKIEenYHcoBnOEC/jciXUDa6wduV75EEip7oq2i+m44MopcsEDTpdliH077GhKapF0ActjvBTLpyoTRSfkKm0NZol/dgwd3PGG/mY8clIoeXWRb4opk93ejPC967KmSNC68SlfwaJmFZS5T9vAgb6k7r6i9G3dmYtrLKzws8IV1CPWqLzk58+v4pRk="
diff -Nru xen-4.14.5+94-ge49571868d/version.sh xen-4.14.6/version.sh
--- xen-4.14.5+94-ge49571868d/version.sh 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/version.sh 2023-08-07 14:11:14.000000000 +0200
@@ -1,5 +1,21 @@
#!/bin/sh
+opt_full=false
+while [ $# -gt 1 ]; do
+ case "$1" in
+ --full) opt_full=true ;;
+ *) break ;;
+ esac
+ shift
+done
+
MAJOR=`grep "export XEN_VERSION" $1 | sed 's/.*=//g' | tr -s " "`
MINOR=`grep "export XEN_SUBVERSION" $1 | sed 's/.*=//g' | tr -s " "`
-printf "%d.%d" $MAJOR $MINOR
+
+if $opt_full; then
+ extraversion=$(grep "export XEN_EXTRAVERSION" $1 | sed 's/^.* ?=\s\+//; s/\$([^)]*)//g; s/ //g')
+ : ${XEN_EXTRAVERSION:=${extraversion}${XEN_VENDORVERSION}}
+else
+ unset XEN_EXTRAVERSION
+fi
+printf "%d.%d%s" $MAJOR $MINOR $XEN_EXTRAVERSION
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/amd.c xen-4.14.6/xen/arch/x86/cpu/amd.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/amd.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpu/amd.c 2023-08-07 14:11:14.000000000 +0200
@@ -13,6 +13,7 @@
#include <asm/spec_ctrl.h>
#include <asm/acpi.h>
#include <asm/apic.h>
+#include <asm/microcode.h>
#include "cpu.h"
@@ -756,6 +757,72 @@
wrmsr_safe(MSR_AMD64_DE_CFG2, val | chickenbit);
}
+void amd_check_zenbleed(void)
+{
+ const struct cpu_signature *sig = &this_cpu(cpu_sig);
+ unsigned int good_rev;
+ uint64_t val, old_val, chickenbit = (1 << 9);
+
+ /*
+ * If we're virtualised, we can't do family/model checks safely, and
+ * we likely wouldn't have access to DE_CFG even if we could see a
+ * microcode revision.
+ *
+ * A hypervisor may hide AVX as a stopgap mitigation. We're not in a
+ * position to care either way. An admin doesn't want to be disabling
+ * AVX as a mitigation on any build of Xen with this logic present.
+ */
+ if (cpu_has_hypervisor || boot_cpu_data.x86 != 0x17)
+ return;
+
+ switch (boot_cpu_data.x86_model) {
+ case 0x30 ... 0x3f: good_rev = 0x0830107a; break;
+ case 0x60 ... 0x67: good_rev = 0x0860010b; break;
+ case 0x68 ... 0x6f: good_rev = 0x08608105; break;
+ case 0x70 ... 0x7f: good_rev = 0x08701032; break;
+ case 0xa0 ... 0xaf: good_rev = 0x08a00008; break;
+ default:
+ /*
+ * With the Fam17h check above, parts getting here are Zen1.
+ * They're not affected.
+ */
+ return;
+ }
+
+ rdmsrl(MSR_AMD64_DE_CFG, val);
+ old_val = val;
+
+ /*
+ * Microcode is the preferred mitigation, in terms of performance.
+ * However, without microcode, this chickenbit (specific to the Zen2
+ * uarch) disables Floating Point Mov-Elimination to mitigate the
+ * issue.
+ */
+ val &= ~chickenbit;
+ if (sig->rev < good_rev)
+ val |= chickenbit;
+
+ if (val == old_val)
+ /* Nothing to change. */
+ return;
+
+ /*
+ * DE_CFG is a Core-scoped MSR, and this write is racy during late
+ * microcode load. However, both threads calculate the new value from
+ * state which is shared, and unrelated to the old value, so the
+ * result should be consistent.
+ */
+ wrmsrl(MSR_AMD64_DE_CFG, val);
+
+ /*
+ * Inform the admin that we changed something, but don't spam,
+ * especially during a late microcode load.
+ */
+ if (smp_processor_id() == 0)
+ printk(XENLOG_INFO "Zenbleed mitigation - using %s\n",
+ val & chickenbit ? "chickenbit" : "microcode");
+}
+
static void init_amd(struct cpuinfo_x86 *c)
{
u32 l, h;
@@ -1016,6 +1083,8 @@
if ((smp_processor_id() == 1) && !cpu_has(c, X86_FEATURE_ITSC))
disable_c1_ramping();
+ amd_check_zenbleed();
+
check_syscfg_dram_mod_en();
amd_log_freq(c);
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/common.c xen-4.14.6/xen/arch/x86/cpu/common.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/common.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpu/common.c 2023-08-07 14:11:14.000000000 +0200
@@ -3,6 +3,8 @@
#include <xen/delay.h>
#include <xen/param.h>
#include <xen/smp.h>
+
+#include <asm/cpu-policy.h>
#include <asm/current.h>
#include <asm/debugreg.h>
#include <asm/processor.h>
@@ -70,7 +72,7 @@
__builtin_return_address(0), cap);
__clear_bit(cap, boot_cpu_data.x86_capability);
- dfs = x86_cpuid_lookup_deep_deps(cap);
+ dfs = x86_cpu_policy_lookup_deep_deps(cap);
if (!dfs)
return;
@@ -135,7 +137,7 @@
return false;
if ((rc = rdmsr_safe(MSR_INTEL_PLATFORM_INFO, val)) == 0)
- raw_msr_policy.platform_info.cpuid_faulting =
+ raw_cpu_policy.platform_info.cpuid_faulting =
val & MSR_PLATFORM_INFO_CPUID_FAULTING;
if (rc ||
@@ -435,7 +437,8 @@
cpuid_count(7, 1,
&c->x86_capability[FEATURESET_7a1],
&c->x86_capability[FEATURESET_7b1],
- &tmp, &tmp);
+ &c->x86_capability[FEATURESET_7c1],
+ &c->x86_capability[FEATURESET_7d1]);
if (max_subleaf >= 2)
cpuid_count(7, 2,
&tmp, &tmp, &tmp,
@@ -446,6 +449,11 @@
cpuid_count(0xd, 1,
&c->x86_capability[FEATURESET_Da1],
&tmp, &tmp, &tmp);
+
+ if (test_bit(X86_FEATURE_ARCH_CAPS, c->x86_capability))
+ rdmsr(MSR_ARCH_CAPABILITIES,
+ c->x86_capability[FEATURESET_m10Al],
+ c->x86_capability[FEATURESET_m10Ah]);
}
/*
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/intel.c xen-4.14.6/xen/arch/x86/cpu/intel.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/intel.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpu/intel.c 2023-08-07 14:11:14.000000000 +0200
@@ -518,6 +518,18 @@
if ((opt_cpu_info && !(c->apicid & (c->x86_num_siblings - 1))) ||
c == &boot_cpu_data )
intel_log_freq(c);
+
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+ *
+ * On this model, CLWB has equivalent behaviour to CLFLUSHOPT but the
+ * latter is not impacted. Hide CLWB to cause Xen to fall back to
+ * using CLFLUSHOPT instead.
+ */
+ if (c == &boot_cpu_data &&
+ c->x86 == 6 && c->x86_model == 0x55 /* INTEL_FAM6_SKYLAKE_X */)
+ setup_clear_cpu_cap(X86_FEATURE_CLWB);
}
const struct cpu_dev intel_cpu_dev = {
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/microcode/amd.c xen-4.14.6/xen/arch/x86/cpu/microcode/amd.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu/microcode/amd.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpu/microcode/amd.c 2023-08-07 14:11:14.000000000 +0200
@@ -251,6 +251,8 @@
printk(XENLOG_WARNING "microcode: CPU%u updated from revision %#x to %#x\n",
cpu, old_rev, rev);
+ amd_check_zenbleed();
+
return 0;
}
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpuid.c xen-4.14.6/xen/arch/x86/cpuid.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpuid.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpuid.c 2023-08-07 14:11:14.000000000 +0200
@@ -1,572 +1,15 @@
-#include <xen/init.h>
-#include <xen/lib.h>
-#include <xen/param.h>
#include <xen/sched.h>
#include <xen/nospec.h>
+#include <xen/types.h>
+
+#include <public/hvm/params.h>
+
+#include <asm/cpu-policy.h>
#include <asm/cpuid.h>
-#include <asm/hvm/hvm.h>
-#include <asm/hvm/nestedhvm.h>
-#include <asm/hvm/svm/svm.h>
#include <asm/hvm/viridian.h>
-#include <asm/hvm/vmx/vmcs.h>
-#include <asm/paging.h>
-#include <asm/processor.h>
#include <asm/xstate.h>
-const uint32_t known_features[] = INIT_KNOWN_FEATURES;
-const uint32_t special_features[] = INIT_SPECIAL_FEATURES;
-
-static const uint32_t pv_max_featuremask[] = INIT_PV_MAX_FEATURES;
-static const uint32_t hvm_shadow_max_featuremask[] = INIT_HVM_SHADOW_MAX_FEATURES;
-static const uint32_t hvm_hap_max_featuremask[] = INIT_HVM_HAP_MAX_FEATURES;
-static const uint32_t pv_def_featuremask[] = INIT_PV_DEF_FEATURES;
-static const uint32_t hvm_shadow_def_featuremask[] = INIT_HVM_SHADOW_DEF_FEATURES;
-static const uint32_t hvm_hap_def_featuremask[] = INIT_HVM_HAP_DEF_FEATURES;
-static const uint32_t deep_features[] = INIT_DEEP_FEATURES;
-
-static int __init parse_xen_cpuid(const char *s)
-{
- const char *ss;
- int val, rc = 0;
-
- do {
- static const struct feature {
- const char *name;
- unsigned int bit;
- } features[] __initconstrel = INIT_FEATURE_NAMES;
- const struct feature *lhs, *rhs, *mid = NULL /* GCC... */;
- const char *feat;
-
- ss = strchr(s, ',');
- if ( !ss )
- ss = strchr(s, '\0');
-
- /* Skip the 'no-' prefix for name comparisons. */
- feat = s;
- if ( strncmp(s, "no-", 3) == 0 )
- feat += 3;
-
- /* (Re)initalise lhs and rhs for binary search. */
- lhs = features;
- rhs = features + ARRAY_SIZE(features);
-
- while ( lhs < rhs )
- {
- int res;
-
- mid = lhs + (rhs - lhs) / 2;
- res = cmdline_strcmp(feat, mid->name);
-
- if ( res < 0 )
- {
- rhs = mid;
- continue;
- }
- if ( res > 0 )
- {
- lhs = mid + 1;
- continue;
- }
-
- if ( (val = parse_boolean(mid->name, s, ss)) >= 0 )
- {
- if ( !val )
- setup_clear_cpu_cap(mid->bit);
- else if ( mid->bit == X86_FEATURE_RDRAND &&
- (cpuid_ecx(1) & cpufeat_mask(X86_FEATURE_RDRAND)) )
- setup_force_cpu_cap(X86_FEATURE_RDRAND);
- mid = NULL;
- }
-
- break;
- }
-
- /*
- * Mid being NULL means that the name and boolean were successfully
- * identified. Everything else is an error.
- */
- if ( mid )
- rc = -EINVAL;
-
- s = ss + 1;
- } while ( *ss );
-
- return rc;
-}
-custom_param("cpuid", parse_xen_cpuid);
-
#define EMPTY_LEAF ((struct cpuid_leaf){})
-static void zero_leaves(struct cpuid_leaf *l,
- unsigned int first, unsigned int last)
-{
- memset(&l[first], 0, sizeof(*l) * (last - first + 1));
-}
-
-struct cpuid_policy __read_mostly raw_cpuid_policy,
- __read_mostly host_cpuid_policy;
-#ifdef CONFIG_PV
-struct cpuid_policy __read_mostly pv_max_cpuid_policy;
-struct cpuid_policy __read_mostly pv_def_cpuid_policy;
-#endif
-#ifdef CONFIG_HVM
-struct cpuid_policy __read_mostly hvm_max_cpuid_policy;
-struct cpuid_policy __read_mostly hvm_def_cpuid_policy;
-#endif
-
-static void sanitise_featureset(uint32_t *fs)
-{
- /* for_each_set_bit() uses unsigned longs. Extend with zeroes. */
- uint32_t disabled_features[
- ROUNDUP(FSCAPINTS, sizeof(unsigned long)/sizeof(uint32_t))] = {};
- unsigned int i;
-
- for ( i = 0; i < FSCAPINTS; ++i )
- {
- /* Clamp to known mask. */
- fs[i] &= known_features[i];
-
- /*
- * Identify which features with deep dependencies have been
- * disabled.
- */
- disabled_features[i] = ~fs[i] & deep_features[i];
- }
-
- for_each_set_bit(i, (void *)disabled_features,
- sizeof(disabled_features) * 8)
- {
- const uint32_t *dfs = x86_cpuid_lookup_deep_deps(i);
- unsigned int j;
-
- ASSERT(dfs); /* deep_features[] should guarentee this. */
-
- for ( j = 0; j < FSCAPINTS; ++j )
- {
- fs[j] &= ~dfs[j];
- disabled_features[j] &= ~dfs[j];
- }
- }
-}
-
-static void recalculate_xstate(struct cpuid_policy *p)
-{
- uint64_t xstates = XSTATE_FP_SSE;
- uint32_t xstate_size = XSTATE_AREA_MIN_SIZE;
- unsigned int i, Da1 = p->xstate.Da1;
-
- /*
- * The Da1 leaf is the only piece of information preserved in the common
- * case. Everything else is derived from other feature state.
- */
- memset(&p->xstate, 0, sizeof(p->xstate));
-
- if ( !p->basic.xsave )
- return;
-
- if ( p->basic.avx )
- {
- xstates |= X86_XCR0_YMM;
- xstate_size = max(xstate_size,
- xstate_offsets[X86_XCR0_YMM_POS] +
- xstate_sizes[X86_XCR0_YMM_POS]);
- }
-
- if ( p->feat.mpx )
- {
- xstates |= X86_XCR0_BNDREGS | X86_XCR0_BNDCSR;
- xstate_size = max(xstate_size,
- xstate_offsets[X86_XCR0_BNDCSR_POS] +
- xstate_sizes[X86_XCR0_BNDCSR_POS]);
- }
-
- if ( p->feat.avx512f )
- {
- xstates |= X86_XCR0_OPMASK | X86_XCR0_ZMM | X86_XCR0_HI_ZMM;
- xstate_size = max(xstate_size,
- xstate_offsets[X86_XCR0_HI_ZMM_POS] +
- xstate_sizes[X86_XCR0_HI_ZMM_POS]);
- }
-
- if ( p->feat.pku )
- {
- xstates |= X86_XCR0_PKRU;
- xstate_size = max(xstate_size,
- xstate_offsets[X86_XCR0_PKRU_POS] +
- xstate_sizes[X86_XCR0_PKRU_POS]);
- }
-
- p->xstate.max_size = xstate_size;
- p->xstate.xcr0_low = xstates & ~XSTATE_XSAVES_ONLY;
- p->xstate.xcr0_high = (xstates & ~XSTATE_XSAVES_ONLY) >> 32;
-
- p->xstate.Da1 = Da1;
- if ( p->xstate.xsaves )
- {
- p->xstate.xss_low = xstates & XSTATE_XSAVES_ONLY;
- p->xstate.xss_high = (xstates & XSTATE_XSAVES_ONLY) >> 32;
- }
- else
- xstates &= ~XSTATE_XSAVES_ONLY;
-
- for ( i = 2; i < min(63ul, ARRAY_SIZE(p->xstate.comp)); ++i )
- {
- uint64_t curr_xstate = 1ul << i;
-
- if ( !(xstates & curr_xstate) )
- continue;
-
- p->xstate.comp[i].size = xstate_sizes[i];
- p->xstate.comp[i].offset = xstate_offsets[i];
- p->xstate.comp[i].xss = curr_xstate & XSTATE_XSAVES_ONLY;
- p->xstate.comp[i].align = curr_xstate & xstate_align;
- }
-}
-
-/*
- * Misc adjustments to the policy. Mostly clobbering reserved fields and
- * duplicating shared fields. Intentionally hidden fields are annotated.
- */
-static void recalculate_misc(struct cpuid_policy *p)
-{
- p->basic.raw_fms &= 0x0fff0fff; /* Clobber Processor Type on Intel. */
- p->basic.apic_id = 0; /* Dynamic. */
-
- p->basic.raw[0x5] = EMPTY_LEAF; /* MONITOR not exposed to guests. */
- p->basic.raw[0x6] = EMPTY_LEAF; /* Therm/Power not exposed to guests. */
-
- p->basic.raw[0x8] = EMPTY_LEAF;
-
- /* TODO: Rework topology logic. */
- memset(p->topo.raw, 0, sizeof(p->topo.raw));
-
- p->basic.raw[0xc] = EMPTY_LEAF;
-
- p->extd.e1d &= ~CPUID_COMMON_1D_FEATURES;
-
- /* Most of Power/RAS hidden from guests. */
- p->extd.raw[0x7].a = p->extd.raw[0x7].b = p->extd.raw[0x7].c = 0;
-
- p->extd.raw[0x8].d = 0;
-
- switch ( p->x86_vendor )
- {
- case X86_VENDOR_INTEL:
- p->basic.l2_nr_queries = 1; /* Fixed to 1 query. */
- p->basic.raw[0x3] = EMPTY_LEAF; /* PSN - always hidden. */
- p->basic.raw[0x9] = EMPTY_LEAF; /* DCA - always hidden. */
-
- p->extd.vendor_ebx = 0;
- p->extd.vendor_ecx = 0;
- p->extd.vendor_edx = 0;
-
- p->extd.raw[0x1].a = p->extd.raw[0x1].b = 0;
-
- p->extd.raw[0x5] = EMPTY_LEAF;
- p->extd.raw[0x6].a = p->extd.raw[0x6].b = p->extd.raw[0x6].d = 0;
-
- p->extd.raw[0x8].a &= 0x0000ffff;
- p->extd.raw[0x8].c = 0;
- break;
-
- case X86_VENDOR_AMD:
- case X86_VENDOR_HYGON:
- zero_leaves(p->basic.raw, 0x2, 0x3);
- memset(p->cache.raw, 0, sizeof(p->cache.raw));
- zero_leaves(p->basic.raw, 0x9, 0xa);
-
- p->extd.vendor_ebx = p->basic.vendor_ebx;
- p->extd.vendor_ecx = p->basic.vendor_ecx;
- p->extd.vendor_edx = p->basic.vendor_edx;
-
- p->extd.raw_fms = p->basic.raw_fms;
- p->extd.raw[0x1].b &= 0xff00ffff;
- p->extd.e1d |= p->basic._1d & CPUID_COMMON_1D_FEATURES;
-
- p->extd.raw[0x8].a &= 0x0000ffff; /* GuestMaxPhysAddr hidden. */
- p->extd.raw[0x8].c &= 0x0003f0ff;
-
- p->extd.raw[0x9] = EMPTY_LEAF;
-
- zero_leaves(p->extd.raw, 0xb, 0x18);
-
- /* 0x19 - TLB details. Pass through. */
- /* 0x1a - Perf hints. Pass through. */
-
- p->extd.raw[0x1b] = EMPTY_LEAF; /* IBS - not supported. */
- p->extd.raw[0x1c] = EMPTY_LEAF; /* LWP - not supported. */
- p->extd.raw[0x1d] = EMPTY_LEAF; /* TopoExt Cache */
- p->extd.raw[0x1e] = EMPTY_LEAF; /* TopoExt APIC ID/Core/Node */
- p->extd.raw[0x1f] = EMPTY_LEAF; /* SEV */
- p->extd.raw[0x20] = EMPTY_LEAF; /* Platform QoS */
- break;
- }
-}
-
-static void __init calculate_raw_policy(void)
-{
- struct cpuid_policy *p = &raw_cpuid_policy;
-
- x86_cpuid_policy_fill_native(p);
-
- /* Nothing good will come from Xen and libx86 disagreeing on vendor. */
- ASSERT(p->x86_vendor == boot_cpu_data.x86_vendor);
-}
-
-static void __init calculate_host_policy(void)
-{
- struct cpuid_policy *p = &host_cpuid_policy;
- unsigned int max_extd_leaf;
-
- *p = raw_cpuid_policy;
-
- p->basic.max_leaf =
- min_t(uint32_t, p->basic.max_leaf, ARRAY_SIZE(p->basic.raw) - 1);
- p->feat.max_subleaf =
- min_t(uint32_t, p->feat.max_subleaf, ARRAY_SIZE(p->feat.raw) - 1);
-
- max_extd_leaf = p->extd.max_leaf;
-
- /*
- * For AMD/Hygon hardware before Zen3, we unilaterally modify LFENCE to be
- * dispatch serialising for Spectre mitigations. Extend max_extd_leaf
- * beyond what hardware supports, to include the feature leaf containing
- * this information.
- */
- if ( cpu_has_lfence_dispatch )
- max_extd_leaf = max(max_extd_leaf, 0x80000021);
-
- p->extd.max_leaf = 0x80000000 | min_t(uint32_t, max_extd_leaf & 0xffff,
- ARRAY_SIZE(p->extd.raw) - 1);
-
- cpuid_featureset_to_policy(boot_cpu_data.x86_capability, p);
- recalculate_xstate(p);
- recalculate_misc(p);
-
- /* When vPMU is disabled, drop it from the host policy. */
- if ( vpmu_mode == XENPMU_MODE_OFF )
- p->basic.raw[0xa] = EMPTY_LEAF;
-
- if ( p->extd.svm )
- {
- /* Clamp to implemented features which require hardware support. */
- p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) |
- (1u << SVM_FEATURE_LBRV) |
- (1u << SVM_FEATURE_NRIPS) |
- (1u << SVM_FEATURE_PAUSEFILTER) |
- (1u << SVM_FEATURE_DECODEASSISTS));
- /* Enable features which are always emulated. */
- p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) |
- (1u << SVM_FEATURE_TSCRATEMSR));
- }
-}
-
-static void __init guest_common_default_feature_adjustments(uint32_t *fs)
-{
- /*
- * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS
- * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to
- * compensate.
- *
- * Mitigate by hiding RDRAND from guests by default, unless explicitly
- * overridden on the Xen command line (cpuid=rdrand). Irrespective of the
- * default setting, guests can use RDRAND if explicitly enabled
- * (cpuid="host,rdrand=1") in the VM's config file, and VMs which were
- * previously using RDRAND can migrate in.
- */
- if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL &&
- boot_cpu_data.x86 == 6 && boot_cpu_data.x86_model == 0x3a &&
- cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) )
- __clear_bit(X86_FEATURE_RDRAND, fs);
-
- /*
- * On certain hardware, speculative or errata workarounds can result in
- * TSX being placed in "force-abort" mode, where it doesn't actually
- * function as expected, but is technically compatible with the ISA.
- *
- * Do not advertise RTM to guests by default if it won't actually work.
- */
- if ( rtm_disabled )
- __clear_bit(X86_FEATURE_RTM, fs);
-}
-
-static void __init guest_common_feature_adjustments(uint32_t *fs)
-{
- /* Unconditionally claim to be able to set the hypervisor bit. */
- __set_bit(X86_FEATURE_HYPERVISOR, fs);
-
- /*
- * If IBRS is offered to the guest, unconditionally offer STIBP. It is a
- * nop on non-HT hardware, and has this behaviour to make heterogeneous
- * setups easier to manage.
- */
- if ( test_bit(X86_FEATURE_IBRSB, fs) )
- __set_bit(X86_FEATURE_STIBP, fs);
- if ( test_bit(X86_FEATURE_IBRS, fs) )
- __set_bit(X86_FEATURE_AMD_STIBP, fs);
-
- /*
- * On hardware which supports IBRS/IBPB, we can offer IBPB independently
- * of IBRS by using the AMD feature bit. An administrator may wish for
- * performance reasons to offer IBPB without IBRS.
- */
- if ( host_cpuid_policy.feat.ibrsb )
- __set_bit(X86_FEATURE_IBPB, fs);
-}
-
-static void __init calculate_pv_max_policy(void)
-{
- struct cpuid_policy *p = &pv_max_cpuid_policy;
- uint32_t pv_featureset[FSCAPINTS];
- unsigned int i;
-
- *p = host_cpuid_policy;
- cpuid_policy_to_featureset(p, pv_featureset);
-
- for ( i = 0; i < ARRAY_SIZE(pv_featureset); ++i )
- pv_featureset[i] &= pv_max_featuremask[i];
-
- /*
- * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests (functional
- * availability, or admin choice), hide the feature.
- */
- if ( !boot_cpu_has(X86_FEATURE_SC_MSR_PV) )
- {
- __clear_bit(X86_FEATURE_IBRSB, pv_featureset);
- __clear_bit(X86_FEATURE_IBRS, pv_featureset);
- }
-
- guest_common_feature_adjustments(pv_featureset);
-
- sanitise_featureset(pv_featureset);
- cpuid_featureset_to_policy(pv_featureset, p);
- recalculate_xstate(p);
-
- p->extd.raw[0xa] = EMPTY_LEAF; /* No SVM for PV guests. */
-}
-
-static void __init calculate_pv_def_policy(void)
-{
- struct cpuid_policy *p = &pv_def_cpuid_policy;
- uint32_t pv_featureset[FSCAPINTS];
- unsigned int i;
-
- *p = pv_max_cpuid_policy;
- cpuid_policy_to_featureset(p, pv_featureset);
-
- for ( i = 0; i < ARRAY_SIZE(pv_featureset); ++i )
- pv_featureset[i] &= pv_def_featuremask[i];
-
- guest_common_feature_adjustments(pv_featureset);
- guest_common_default_feature_adjustments(pv_featureset);
-
- sanitise_featureset(pv_featureset);
- cpuid_featureset_to_policy(pv_featureset, p);
- recalculate_xstate(p);
-}
-
-static void __init calculate_hvm_max_policy(void)
-{
- struct cpuid_policy *p = &hvm_max_cpuid_policy;
- uint32_t hvm_featureset[FSCAPINTS];
- unsigned int i;
- const uint32_t *hvm_featuremask;
-
- *p = host_cpuid_policy;
- cpuid_policy_to_featureset(p, hvm_featureset);
-
- hvm_featuremask = hvm_hap_supported() ?
- hvm_hap_max_featuremask : hvm_shadow_max_featuremask;
-
- for ( i = 0; i < ARRAY_SIZE(hvm_featureset); ++i )
- hvm_featureset[i] &= hvm_featuremask[i];
-
- /*
- * Xen can provide an (x2)APIC emulation to HVM guests even if the host's
- * (x2)APIC isn't enabled.
- */
- __set_bit(X86_FEATURE_APIC, hvm_featureset);
- __set_bit(X86_FEATURE_X2APIC, hvm_featureset);
-
- /*
- * On AMD, PV guests are entirely unable to use SYSENTER as Xen runs in
- * long mode (and init_amd() has cleared it out of host capabilities), but
- * HVM guests are able if running in protected mode.
- */
- if ( (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) &&
- raw_cpuid_policy.basic.sep )
- __set_bit(X86_FEATURE_SEP, hvm_featureset);
-
- /*
- * If Xen isn't virtualising MSR_SPEC_CTRL for HVM guests (functional
- * availability, or admin choice), hide the feature.
- */
- if ( !boot_cpu_has(X86_FEATURE_SC_MSR_HVM) )
- {
- __clear_bit(X86_FEATURE_IBRSB, hvm_featureset);
- __clear_bit(X86_FEATURE_IBRS, hvm_featureset);
- }
-
- /*
- * With VT-x, some features are only supported by Xen if dedicated
- * hardware support is also available.
- */
- if ( cpu_has_vmx )
- {
- if ( !cpu_has_vmx_mpx )
- __clear_bit(X86_FEATURE_MPX, hvm_featureset);
-
- if ( !cpu_has_vmx_xsaves )
- __clear_bit(X86_FEATURE_XSAVES, hvm_featureset);
- }
-
- guest_common_feature_adjustments(hvm_featureset);
-
- sanitise_featureset(hvm_featureset);
- cpuid_featureset_to_policy(hvm_featureset, p);
- recalculate_xstate(p);
-}
-
-static void __init calculate_hvm_def_policy(void)
-{
- struct cpuid_policy *p = &hvm_def_cpuid_policy;
- uint32_t hvm_featureset[FSCAPINTS];
- unsigned int i;
- const uint32_t *hvm_featuremask;
-
- *p = hvm_max_cpuid_policy;
- cpuid_policy_to_featureset(p, hvm_featureset);
-
- hvm_featuremask = hvm_hap_supported() ?
- hvm_hap_def_featuremask : hvm_shadow_def_featuremask;
-
- for ( i = 0; i < ARRAY_SIZE(hvm_featureset); ++i )
- hvm_featureset[i] &= hvm_featuremask[i];
-
- guest_common_feature_adjustments(hvm_featureset);
- guest_common_default_feature_adjustments(hvm_featureset);
-
- sanitise_featureset(hvm_featureset);
- cpuid_featureset_to_policy(hvm_featureset, p);
- recalculate_xstate(p);
-}
-
-void __init init_guest_cpuid(void)
-{
- calculate_raw_policy();
- calculate_host_policy();
-
- if ( IS_ENABLED(CONFIG_PV) )
- {
- calculate_pv_max_policy();
- calculate_pv_def_policy();
- }
-
- if ( hvm_enabled )
- {
- calculate_hvm_max_policy();
- calculate_hvm_def_policy();
- }
-}
bool recheck_cpu_features(unsigned int cpu)
{
@@ -590,181 +33,11 @@
return okay;
}
-void recalculate_cpuid_policy(struct domain *d)
-{
- struct cpuid_policy *p = d->arch.cpuid;
- const struct cpuid_policy *max = is_pv_domain(d)
- ? (IS_ENABLED(CONFIG_PV) ? &pv_max_cpuid_policy : NULL)
- : (IS_ENABLED(CONFIG_HVM) ? &hvm_max_cpuid_policy : NULL);
- uint32_t fs[FSCAPINTS], max_fs[FSCAPINTS];
- unsigned int i;
-
- if ( !max )
- {
- ASSERT_UNREACHABLE();
- return;
- }
-
- p->x86_vendor = x86_cpuid_lookup_vendor(
- p->basic.vendor_ebx, p->basic.vendor_ecx, p->basic.vendor_edx);
-
- p->basic.max_leaf = min(p->basic.max_leaf, max->basic.max_leaf);
- p->feat.max_subleaf = min(p->feat.max_subleaf, max->feat.max_subleaf);
- p->extd.max_leaf = 0x80000000 | min(p->extd.max_leaf & 0xffff,
- ((p->x86_vendor & (X86_VENDOR_AMD |
- X86_VENDOR_HYGON))
- ? CPUID_GUEST_NR_EXTD_AMD
- : CPUID_GUEST_NR_EXTD_INTEL) - 1);
-
- cpuid_policy_to_featureset(p, fs);
- cpuid_policy_to_featureset(max, max_fs);
-
- if ( is_hvm_domain(d) )
- {
- /*
- * HVM domains using Shadow paging have further restrictions on their
- * available paging features.
- */
- if ( !hap_enabled(d) )
- {
- for ( i = 0; i < ARRAY_SIZE(max_fs); i++ )
- max_fs[i] &= hvm_shadow_max_featuremask[i];
- }
-
- /* Hide nested-virt if it hasn't been explicitly configured. */
- if ( !nestedhvm_enabled(d) )
- {
- __clear_bit(X86_FEATURE_VMX, max_fs);
- __clear_bit(X86_FEATURE_SVM, max_fs);
- }
- }
-
- /*
- * Allow the toolstack to set HTT, X2APIC and CMP_LEGACY. These bits
- * affect how to interpret topology information in other cpuid leaves.
- */
- __set_bit(X86_FEATURE_HTT, max_fs);
- __set_bit(X86_FEATURE_X2APIC, max_fs);
- __set_bit(X86_FEATURE_CMP_LEGACY, max_fs);
-
- /*
- * 32bit PV domains can't use any Long Mode features, and cannot use
- * SYSCALL on non-AMD hardware.
- */
- if ( is_pv_32bit_domain(d) )
- {
- __clear_bit(X86_FEATURE_LM, max_fs);
- if ( !(boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) )
- __clear_bit(X86_FEATURE_SYSCALL, max_fs);
- }
-
- /*
- * ITSC is masked by default (so domains are safe to migrate), but a
- * toolstack which has configured disable_migrate or vTSC for a domain may
- * safely select it, and needs a way of doing so.
- */
- if ( cpu_has_itsc && (d->disable_migrate || d->arch.vtsc) )
- __set_bit(X86_FEATURE_ITSC, max_fs);
-
- /* Clamp the toolstacks choices to reality. */
- for ( i = 0; i < ARRAY_SIZE(fs); i++ )
- fs[i] &= max_fs[i];
-
- if ( p->basic.max_leaf < XSTATE_CPUID )
- __clear_bit(X86_FEATURE_XSAVE, fs);
-
- sanitise_featureset(fs);
-
- /* Fold host's FDP_EXCP_ONLY and NO_FPU_SEL into guest's view. */
- fs[FEATURESET_7b0] &= ~(cpufeat_mask(X86_FEATURE_FDP_EXCP_ONLY) |
- cpufeat_mask(X86_FEATURE_NO_FPU_SEL));
- fs[FEATURESET_7b0] |= (host_cpuid_policy.feat._7b0 &
- (cpufeat_mask(X86_FEATURE_FDP_EXCP_ONLY) |
- cpufeat_mask(X86_FEATURE_NO_FPU_SEL)));
-
- cpuid_featureset_to_policy(fs, p);
-
- /* Pass host cacheline size through to guests. */
- p->basic.clflush_size = max->basic.clflush_size;
-
- p->extd.maxphysaddr = min(p->extd.maxphysaddr, max->extd.maxphysaddr);
- p->extd.maxphysaddr = min_t(uint8_t, p->extd.maxphysaddr,
- paging_max_paddr_bits(d));
- p->extd.maxphysaddr = max_t(uint8_t, p->extd.maxphysaddr,
- (p->basic.pae || p->basic.pse36) ? 36 : 32);
-
- p->extd.maxlinaddr = p->extd.lm ? 48 : 32;
-
- recalculate_xstate(p);
- recalculate_misc(p);
-
- for ( i = 0; i < ARRAY_SIZE(p->cache.raw); ++i )
- {
- if ( p->cache.subleaf[i].type >= 1 &&
- p->cache.subleaf[i].type <= 3 )
- {
- /* Subleaf has a valid cache type. Zero reserved fields. */
- p->cache.raw[i].a &= 0xffffc3ffu;
- p->cache.raw[i].d &= 0x00000007u;
- }
- else
- {
- /* Subleaf is not valid. Zero the rest of the union. */
- zero_leaves(p->cache.raw, i, ARRAY_SIZE(p->cache.raw) - 1);
- break;
- }
- }
-
- if ( vpmu_mode == XENPMU_MODE_OFF ||
- ((vpmu_mode & XENPMU_MODE_ALL) && !is_hardware_domain(d)) )
- p->basic.raw[0xa] = EMPTY_LEAF;
-
- if ( !p->extd.svm )
- p->extd.raw[0xa] = EMPTY_LEAF;
-
- if ( !p->extd.page1gb )
- p->extd.raw[0x19] = EMPTY_LEAF;
-}
-
-int init_domain_cpuid_policy(struct domain *d)
-{
- struct cpuid_policy *p = is_pv_domain(d)
- ? (IS_ENABLED(CONFIG_PV) ? &pv_def_cpuid_policy : NULL)
- : (IS_ENABLED(CONFIG_HVM) ? &hvm_def_cpuid_policy : NULL);
-
- if ( !p )
- {
- ASSERT_UNREACHABLE();
- return -EOPNOTSUPP;
- }
-
- p = xmemdup(p);
- if ( !p )
- return -ENOMEM;
-
- if ( d->disable_migrate )
- p->extd.itsc = cpu_has_itsc;
-
- /*
- * Expose the "hardware speculation behaviour" bits of ARCH_CAPS to dom0,
- * so dom0 can turn off workarounds as appropriate. Temporary, until the
- * domain policy logic gains a better understanding of MSRs.
- */
- if ( is_hardware_domain(d) && cpu_has_arch_caps )
- p->feat.arch_caps = true;
-
- d->arch.cpuid = p;
-
- recalculate_cpuid_policy(d);
-
- return 0;
-}
-
void guest_cpuid(const struct vcpu *v, uint32_t leaf,
uint32_t subleaf, struct cpuid_leaf *res)
{
const struct domain *d = v->domain;
- const struct cpuid_policy *p = d->arch.cpuid;
+ const struct cpu_policy *p = d->arch.cpu_policy;
*res = EMPTY_LEAF;
@@ -1009,7 +282,7 @@
if ( is_pv_domain(d) && is_hardware_domain(d) &&
guest_kernel_mode(v, regs) && cpu_has_monitor &&
regs->entry_vector == TRAP_gp_fault )
- *res = raw_cpuid_policy.basic.raw[5];
+ *res = raw_cpu_policy.basic.raw[5];
break;
case 0x7:
@@ -1130,28 +403,6 @@
}
}
-static void __init __maybe_unused build_assertions(void)
-{
- BUILD_BUG_ON(ARRAY_SIZE(known_features) != FSCAPINTS);
- BUILD_BUG_ON(ARRAY_SIZE(special_features) != FSCAPINTS);
- BUILD_BUG_ON(ARRAY_SIZE(pv_max_featuremask) != FSCAPINTS);
- BUILD_BUG_ON(ARRAY_SIZE(hvm_shadow_max_featuremask) != FSCAPINTS);
- BUILD_BUG_ON(ARRAY_SIZE(hvm_hap_max_featuremask) != FSCAPINTS);
- BUILD_BUG_ON(ARRAY_SIZE(deep_features) != FSCAPINTS);
-
- /* Find some more clever allocation scheme if this trips. */
- BUILD_BUG_ON(sizeof(struct cpuid_policy) > PAGE_SIZE);
-
- BUILD_BUG_ON(sizeof(raw_cpuid_policy.basic) !=
- sizeof(raw_cpuid_policy.basic.raw));
- BUILD_BUG_ON(sizeof(raw_cpuid_policy.feat) !=
- sizeof(raw_cpuid_policy.feat.raw));
- BUILD_BUG_ON(sizeof(raw_cpuid_policy.xstate) !=
- sizeof(raw_cpuid_policy.xstate.raw));
- BUILD_BUG_ON(sizeof(raw_cpuid_policy.extd) !=
- sizeof(raw_cpuid_policy.extd.raw));
-}
-
/*
* Local variables:
* mode: C
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu-policy.c xen-4.14.6/xen/arch/x86/cpu-policy.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/cpu-policy.c 1970-01-01 01:00:00.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/cpu-policy.c 2023-08-07 14:11:14.000000000 +0200
@@ -0,0 +1,930 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#include <xen/cache.h>
+#include <xen/kernel.h>
+#include <xen/param.h>
+#include <xen/sched.h>
+
+#include <xen/lib/x86/cpu-policy.h>
+
+#include <asm/amd.h>
+#include <asm/cpu-policy.h>
+#include <asm/hvm/nestedhvm.h>
+#include <asm/hvm/svm/svm.h>
+#include <asm/msr-index.h>
+#include <asm/paging.h>
+#include <asm/setup.h>
+#include <asm/xstate.h>
+
+struct cpu_policy __read_mostly raw_cpu_policy;
+struct cpu_policy __read_mostly host_cpu_policy;
+#ifdef CONFIG_PV
+struct cpu_policy __read_mostly pv_max_cpu_policy;
+struct cpu_policy __read_mostly pv_def_cpu_policy;
+#endif
+#ifdef CONFIG_HVM
+struct cpu_policy __read_mostly hvm_max_cpu_policy;
+struct cpu_policy __read_mostly hvm_def_cpu_policy;
+#endif
+
+const uint32_t known_features[] = INIT_KNOWN_FEATURES;
+
+static const uint32_t __initconst pv_max_featuremask[] = INIT_PV_MAX_FEATURES;
+static const uint32_t hvm_shadow_max_featuremask[] = INIT_HVM_SHADOW_MAX_FEATURES;
+static const uint32_t __initconst hvm_hap_max_featuremask[] =
+ INIT_HVM_HAP_MAX_FEATURES;
+static const uint32_t __initconst pv_def_featuremask[] = INIT_PV_DEF_FEATURES;
+static const uint32_t __initconst hvm_shadow_def_featuremask[] =
+ INIT_HVM_SHADOW_DEF_FEATURES;
+static const uint32_t __initconst hvm_hap_def_featuremask[] =
+ INIT_HVM_HAP_DEF_FEATURES;
+static const uint32_t deep_features[] = INIT_DEEP_FEATURES;
+
+static const struct feature_name {
+ const char *name;
+ unsigned int bit;
+} feature_names[] __initconstrel = INIT_FEATURE_NAMES;
+
+/*
+ * Parse a list of cpuid feature names -> bool, calling the callback for any
+ * matches found.
+ *
+ * always_inline, because this is init code only and we really don't want a
+ * function pointer call in the middle of the loop.
+ */
+static int __init always_inline parse_cpuid(
+ const char *s, void (*callback)(unsigned int feat, bool val))
+{
+ const char *ss;
+ int val, rc = 0;
+
+ do {
+ const struct feature_name *lhs, *rhs, *mid = NULL /* GCC... */;
+ const char *feat;
+
+ ss = strchr(s, ',');
+ if ( !ss )
+ ss = strchr(s, '\0');
+
+ /* Skip the 'no-' prefix for name comparisons. */
+ feat = s;
+ if ( strncmp(s, "no-", 3) == 0 )
+ feat += 3;
+
+ /* (Re)initalise lhs and rhs for binary search. */
+ lhs = feature_names;
+ rhs = feature_names + ARRAY_SIZE(feature_names);
+
+ while ( lhs < rhs )
+ {
+ int res;
+
+ mid = lhs + (rhs - lhs) / 2;
+ res = cmdline_strcmp(feat, mid->name);
+
+ if ( res < 0 )
+ {
+ rhs = mid;
+ continue;
+ }
+ if ( res > 0 )
+ {
+ lhs = mid + 1;
+ continue;
+ }
+
+ if ( (val = parse_boolean(mid->name, s, ss)) >= 0 )
+ {
+ callback(mid->bit, val);
+ mid = NULL;
+ }
+
+ break;
+ }
+
+ /*
+ * Mid being NULL means that the name and boolean were successfully
+ * identified. Everything else is an error.
+ */
+ if ( mid )
+ rc = -EINVAL;
+
+ s = ss + 1;
+ } while ( *ss );
+
+ return rc;
+}
+
+static void __init _parse_xen_cpuid(unsigned int feat, bool val)
+{
+ if ( !val )
+ setup_clear_cpu_cap(feat);
+ else if ( feat == X86_FEATURE_RDRAND &&
+ (cpuid_ecx(1) & cpufeat_mask(X86_FEATURE_RDRAND)) )
+ setup_force_cpu_cap(X86_FEATURE_RDRAND);
+}
+
+static int __init parse_xen_cpuid(const char *s)
+{
+ return parse_cpuid(s, _parse_xen_cpuid);
+}
+custom_param("cpuid", parse_xen_cpuid);
+
+static bool __initdata dom0_cpuid_cmdline;
+static uint32_t __initdata dom0_enable_feat[FSCAPINTS];
+static uint32_t __initdata dom0_disable_feat[FSCAPINTS];
+
+static void __init _parse_dom0_cpuid(unsigned int feat, bool val)
+{
+ __set_bit (feat, val ? dom0_enable_feat : dom0_disable_feat);
+ __clear_bit(feat, val ? dom0_disable_feat : dom0_enable_feat );
+}
+
+static int __init parse_dom0_cpuid(const char *s)
+{
+ dom0_cpuid_cmdline = true;
+
+ return parse_cpuid(s, _parse_dom0_cpuid);
+}
+custom_param("dom0-cpuid", parse_dom0_cpuid);
+
+#define EMPTY_LEAF ((struct cpuid_leaf){})
+static void zero_leaves(struct cpuid_leaf *l,
+ unsigned int first, unsigned int last)
+{
+ memset(&l[first], 0, sizeof(*l) * (last - first + 1));
+}
+
+static void sanitise_featureset(uint32_t *fs)
+{
+ /* for_each_set_bit() uses unsigned longs. Extend with zeroes. */
+ uint32_t disabled_features[
+ ROUNDUP(FSCAPINTS, sizeof(unsigned long)/sizeof(uint32_t))] = {};
+ unsigned int i;
+
+ for ( i = 0; i < FSCAPINTS; ++i )
+ {
+ /* Clamp to known mask. */
+ fs[i] &= known_features[i];
+
+ /*
+ * Identify which features with deep dependencies have been
+ * disabled.
+ */
+ disabled_features[i] = ~fs[i] & deep_features[i];
+ }
+
+ for_each_set_bit(i, (void *)disabled_features,
+ sizeof(disabled_features) * 8)
+ {
+ const uint32_t *dfs = x86_cpu_policy_lookup_deep_deps(i);
+ unsigned int j;
+
+ ASSERT(dfs); /* deep_features[] should guarentee this. */
+
+ for ( j = 0; j < FSCAPINTS; ++j )
+ {
+ fs[j] &= ~dfs[j];
+ disabled_features[j] &= ~dfs[j];
+ }
+ }
+}
+
+static void recalculate_xstate(struct cpu_policy *p)
+{
+ uint64_t xstates = XSTATE_FP_SSE;
+ uint32_t xstate_size = XSTATE_AREA_MIN_SIZE;
+ unsigned int i, Da1 = p->xstate.Da1;
+
+ /*
+ * The Da1 leaf is the only piece of information preserved in the common
+ * case. Everything else is derived from other feature state.
+ */
+ memset(&p->xstate, 0, sizeof(p->xstate));
+
+ if ( !p->basic.xsave )
+ return;
+
+ if ( p->basic.avx )
+ {
+ xstates |= X86_XCR0_YMM;
+ xstate_size = max(xstate_size,
+ xstate_offsets[X86_XCR0_YMM_POS] +
+ xstate_sizes[X86_XCR0_YMM_POS]);
+ }
+
+ if ( p->feat.mpx )
+ {
+ xstates |= X86_XCR0_BNDREGS | X86_XCR0_BNDCSR;
+ xstate_size = max(xstate_size,
+ xstate_offsets[X86_XCR0_BNDCSR_POS] +
+ xstate_sizes[X86_XCR0_BNDCSR_POS]);
+ }
+
+ if ( p->feat.avx512f )
+ {
+ xstates |= X86_XCR0_OPMASK | X86_XCR0_ZMM | X86_XCR0_HI_ZMM;
+ xstate_size = max(xstate_size,
+ xstate_offsets[X86_XCR0_HI_ZMM_POS] +
+ xstate_sizes[X86_XCR0_HI_ZMM_POS]);
+ }
+
+ if ( p->feat.pku )
+ {
+ xstates |= X86_XCR0_PKRU;
+ xstate_size = max(xstate_size,
+ xstate_offsets[X86_XCR0_PKRU_POS] +
+ xstate_sizes[X86_XCR0_PKRU_POS]);
+ }
+
+ p->xstate.max_size = xstate_size;
+ p->xstate.xcr0_low = xstates & ~XSTATE_XSAVES_ONLY;
+ p->xstate.xcr0_high = (xstates & ~XSTATE_XSAVES_ONLY) >> 32;
+
+ p->xstate.Da1 = Da1;
+ if ( p->xstate.xsaves )
+ {
+ p->xstate.xss_low = xstates & XSTATE_XSAVES_ONLY;
+ p->xstate.xss_high = (xstates & XSTATE_XSAVES_ONLY) >> 32;
+ }
+ else
+ xstates &= ~XSTATE_XSAVES_ONLY;
+
+ for ( i = 2; i < min(63ul, ARRAY_SIZE(p->xstate.comp)); ++i )
+ {
+ uint64_t curr_xstate = 1ul << i;
+
+ if ( !(xstates & curr_xstate) )
+ continue;
+
+ p->xstate.comp[i].size = xstate_sizes[i];
+ p->xstate.comp[i].offset = xstate_offsets[i];
+ p->xstate.comp[i].xss = curr_xstate & XSTATE_XSAVES_ONLY;
+ p->xstate.comp[i].align = curr_xstate & xstate_align;
+ }
+}
+
+/*
+ * Misc adjustments to the policy. Mostly clobbering reserved fields and
+ * duplicating shared fields. Intentionally hidden fields are annotated.
+ */
+static void recalculate_misc(struct cpu_policy *p)
+{
+ p->basic.raw_fms &= 0x0fff0fff; /* Clobber Processor Type on Intel. */
+ p->basic.apic_id = 0; /* Dynamic. */
+
+ p->basic.raw[0x5] = EMPTY_LEAF; /* MONITOR not exposed to guests. */
+ p->basic.raw[0x6] = EMPTY_LEAF; /* Therm/Power not exposed to guests. */
+
+ p->basic.raw[0x8] = EMPTY_LEAF;
+
+ /* TODO: Rework topology logic. */
+ memset(p->topo.raw, 0, sizeof(p->topo.raw));
+
+ p->basic.raw[0xc] = EMPTY_LEAF;
+
+ p->extd.e1d &= ~CPUID_COMMON_1D_FEATURES;
+
+ /* Most of Power/RAS hidden from guests. */
+ p->extd.raw[0x7].a = p->extd.raw[0x7].b = p->extd.raw[0x7].c = 0;
+
+ p->extd.raw[0x8].d = 0;
+
+ switch ( p->x86_vendor )
+ {
+ case X86_VENDOR_INTEL:
+ p->basic.l2_nr_queries = 1; /* Fixed to 1 query. */
+ p->basic.raw[0x3] = EMPTY_LEAF; /* PSN - always hidden. */
+ p->basic.raw[0x9] = EMPTY_LEAF; /* DCA - always hidden. */
+
+ p->extd.vendor_ebx = 0;
+ p->extd.vendor_ecx = 0;
+ p->extd.vendor_edx = 0;
+
+ p->extd.raw[0x1].a = p->extd.raw[0x1].b = 0;
+
+ p->extd.raw[0x5] = EMPTY_LEAF;
+ p->extd.raw[0x6].a = p->extd.raw[0x6].b = p->extd.raw[0x6].d = 0;
+
+ p->extd.raw[0x8].a &= 0x0000ffff;
+ p->extd.raw[0x8].c = 0;
+ break;
+
+ case X86_VENDOR_AMD:
+ case X86_VENDOR_HYGON:
+ zero_leaves(p->basic.raw, 0x2, 0x3);
+ memset(p->cache.raw, 0, sizeof(p->cache.raw));
+ zero_leaves(p->basic.raw, 0x9, 0xa);
+
+ p->extd.vendor_ebx = p->basic.vendor_ebx;
+ p->extd.vendor_ecx = p->basic.vendor_ecx;
+ p->extd.vendor_edx = p->basic.vendor_edx;
+
+ p->extd.raw_fms = p->basic.raw_fms;
+ p->extd.raw[0x1].b &= 0xff00ffff;
+ p->extd.e1d |= p->basic._1d & CPUID_COMMON_1D_FEATURES;
+
+ p->extd.raw[0x8].a &= 0x0000ffff; /* GuestMaxPhysAddr hidden. */
+ p->extd.raw[0x8].c &= 0x0003f0ff;
+
+ p->extd.raw[0x9] = EMPTY_LEAF;
+
+ zero_leaves(p->extd.raw, 0xb, 0x18);
+
+ /* 0x19 - TLB details. Pass through. */
+ /* 0x1a - Perf hints. Pass through. */
+
+ p->extd.raw[0x1b] = EMPTY_LEAF; /* IBS - not supported. */
+ p->extd.raw[0x1c] = EMPTY_LEAF; /* LWP - not supported. */
+ p->extd.raw[0x1d] = EMPTY_LEAF; /* TopoExt Cache */
+ p->extd.raw[0x1e] = EMPTY_LEAF; /* TopoExt APIC ID/Core/Node */
+ p->extd.raw[0x1f] = EMPTY_LEAF; /* SEV */
+ p->extd.raw[0x20] = EMPTY_LEAF; /* Platform QoS */
+ break;
+ }
+}
+
+static void __init calculate_raw_policy(void)
+{
+ struct cpu_policy *p = &raw_cpu_policy;
+
+ x86_cpu_policy_fill_native(p);
+
+ /* Nothing good will come from Xen and libx86 disagreeing on vendor. */
+ ASSERT(p->x86_vendor == boot_cpu_data.x86_vendor);
+
+ /* 0x000000ce MSR_INTEL_PLATFORM_INFO */
+ /* Was already added by probe_cpuid_faulting() */
+}
+
+static void __init calculate_host_policy(void)
+{
+ struct cpu_policy *p = &host_cpu_policy;
+ unsigned int max_extd_leaf;
+
+ *p = raw_cpu_policy;
+
+ p->basic.max_leaf =
+ min_t(uint32_t, p->basic.max_leaf, ARRAY_SIZE(p->basic.raw) - 1);
+ p->feat.max_subleaf =
+ min_t(uint32_t, p->feat.max_subleaf, ARRAY_SIZE(p->feat.raw) - 1);
+
+ max_extd_leaf = p->extd.max_leaf;
+
+ /*
+ * For AMD/Hygon hardware before Zen3, we unilaterally modify LFENCE to be
+ * dispatch serialising for Spectre mitigations. Extend max_extd_leaf
+ * beyond what hardware supports, to include the feature leaf containing
+ * this information.
+ */
+ if ( cpu_has_lfence_dispatch )
+ max_extd_leaf = max(max_extd_leaf, 0x80000021);
+
+ p->extd.max_leaf = 0x80000000 | min_t(uint32_t, max_extd_leaf & 0xffff,
+ ARRAY_SIZE(p->extd.raw) - 1);
+
+ x86_cpu_featureset_to_policy(boot_cpu_data.x86_capability, p);
+ recalculate_xstate(p);
+ recalculate_misc(p);
+
+ /* When vPMU is disabled, drop it from the host policy. */
+ if ( vpmu_mode == XENPMU_MODE_OFF )
+ p->basic.raw[0xa] = EMPTY_LEAF;
+
+ if ( p->extd.svm )
+ {
+ /* Clamp to implemented features which require hardware support. */
+ p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) |
+ (1u << SVM_FEATURE_LBRV) |
+ (1u << SVM_FEATURE_NRIPS) |
+ (1u << SVM_FEATURE_PAUSEFILTER) |
+ (1u << SVM_FEATURE_DECODEASSISTS));
+ /* Enable features which are always emulated. */
+ p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) |
+ (1u << SVM_FEATURE_TSCRATEMSR));
+ }
+
+ /* 0x000000ce MSR_INTEL_PLATFORM_INFO */
+ /* probe_cpuid_faulting() sanity checks presence of MISC_FEATURES_ENABLES */
+ p->platform_info.cpuid_faulting = cpu_has_cpuid_faulting;
+}
+
+static void __init guest_common_max_feature_adjustments(uint32_t *fs)
+{
+ if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL )
+ {
+ /*
+ * MSR_ARCH_CAPS is just feature data, and we can offer it to guests
+ * unconditionally, although limit it to Intel systems as it is highly
+ * uarch-specific.
+ *
+ * In particular, the RSBA and RRSBA bits mean "you might migrate to a
+ * system where RSB underflow uses alternative predictors (a.k.a
+ * Retpoline not safe)", so these need to be visible to a guest in all
+ * cases, even when it's only some other server in the pool which
+ * suffers the identified behaviour.
+ *
+ * We can always run any VM which has previously (or will
+ * subsequently) run on hardware where Retpoline is not safe.
+ * Note:
+ * - The dependency logic may hide RRSBA for other reasons.
+ * - The max policy does not constitute a sensible configuration to
+ * run a guest in.
+ */
+ __set_bit(X86_FEATURE_ARCH_CAPS, fs);
+ __set_bit(X86_FEATURE_RSBA, fs);
+ __set_bit(X86_FEATURE_RRSBA, fs);
+
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+ *
+ * We hid CLWB in the host policy to stop Xen using it, but VMs which
+ * have previously seen the CLWB feature can safely run on this CPU.
+ */
+ if ( boot_cpu_data.x86 == 6 &&
+ boot_cpu_data.x86_model == 0x55 /* INTEL_FAM6_SKYLAKE_X */ &&
+ raw_cpu_policy.feat.clwb )
+ __set_bit(X86_FEATURE_CLWB, fs);
+ }
+}
+
+static void __init guest_common_default_feature_adjustments(uint32_t *fs)
+{
+ if ( boot_cpu_data.x86_vendor == X86_VENDOR_INTEL )
+ {
+ /*
+ * IvyBridge client parts suffer from leakage of RDRAND data due to SRBDS
+ * (XSA-320 / CVE-2020-0543), and won't be receiving microcode to
+ * compensate.
+ *
+ * Mitigate by hiding RDRAND from guests by default, unless explicitly
+ * overridden on the Xen command line (cpuid=rdrand). Irrespective of the
+ * default setting, guests can use RDRAND if explicitly enabled
+ * (cpuid="host,rdrand=1") in the VM's config file, and VMs which were
+ * previously using RDRAND can migrate in.
+ */
+ if ( boot_cpu_data.x86 == 6 &&
+ boot_cpu_data.x86_model == 0x3a /* INTEL_FAM6_IVYBRIDGE */ &&
+ cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) )
+ __clear_bit(X86_FEATURE_RDRAND, fs);
+
+ /*
+ * The Gather Data Sampling microcode mitigation (August 2023) has an
+ * adverse performance impact on the CLWB instruction on SKX/CLX/CPX.
+ *
+ * We hid CLWB in the host policy to stop Xen using it, but re-added
+ * it to the max policy to let VMs migrate in. Re-hide it in the
+ * default policy to disuade VMs from using it in the common case.
+ */
+ if ( boot_cpu_data.x86 == 6 &&
+ boot_cpu_data.x86_model == 0x55 /* INTEL_FAM6_SKYLAKE_X */ &&
+ raw_cpu_policy.feat.clwb )
+ __clear_bit(X86_FEATURE_CLWB, fs);
+ }
+
+ /*
+ * On certain hardware, speculative or errata workarounds can result in
+ * TSX being placed in "force-abort" mode, where it doesn't actually
+ * function as expected, but is technically compatible with the ISA.
+ *
+ * Do not advertise RTM to guests by default if it won't actually work.
+ */
+ if ( rtm_disabled )
+ __clear_bit(X86_FEATURE_RTM, fs);
+}
+
+static void __init guest_common_feature_adjustments(uint32_t *fs)
+{
+ /* Unconditionally claim to be able to set the hypervisor bit. */
+ __set_bit(X86_FEATURE_HYPERVISOR, fs);
+
+ /*
+ * If IBRS is offered to the guest, unconditionally offer STIBP. It is a
+ * nop on non-HT hardware, and has this behaviour to make heterogeneous
+ * setups easier to manage.
+ */
+ if ( test_bit(X86_FEATURE_IBRSB, fs) )
+ __set_bit(X86_FEATURE_STIBP, fs);
+ if ( test_bit(X86_FEATURE_IBRS, fs) )
+ __set_bit(X86_FEATURE_AMD_STIBP, fs);
+
+ /*
+ * On hardware which supports IBRS/IBPB, we can offer IBPB independently
+ * of IBRS by using the AMD feature bit. An administrator may wish for
+ * performance reasons to offer IBPB without IBRS.
+ */
+ if ( host_cpu_policy.feat.ibrsb )
+ __set_bit(X86_FEATURE_IBPB, fs);
+}
+
+static void __init calculate_pv_max_policy(void)
+{
+ struct cpu_policy *p = &pv_max_cpu_policy;
+ uint32_t fs[FSCAPINTS];
+ unsigned int i;
+
+ *p = host_cpu_policy;
+ x86_cpu_policy_to_featureset(p, fs);
+
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ fs[i] &= pv_max_featuremask[i];
+
+ /*
+ * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests (functional
+ * availability, or admin choice), hide the feature.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_SC_MSR_PV) )
+ {
+ __clear_bit(X86_FEATURE_IBRSB, fs);
+ __clear_bit(X86_FEATURE_IBRS, fs);
+ }
+
+ guest_common_max_feature_adjustments(fs);
+ guest_common_feature_adjustments(fs);
+
+ sanitise_featureset(fs);
+ x86_cpu_featureset_to_policy(fs, p);
+ recalculate_xstate(p);
+
+ p->extd.raw[0xa] = EMPTY_LEAF; /* No SVM for PV guests. */
+}
+
+static void __init calculate_pv_def_policy(void)
+{
+ struct cpu_policy *p = &pv_def_cpu_policy;
+ uint32_t fs[FSCAPINTS];
+ unsigned int i;
+
+ *p = pv_max_cpu_policy;
+ x86_cpu_policy_to_featureset(p, fs);
+
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ fs[i] &= pv_def_featuremask[i];
+
+ guest_common_feature_adjustments(fs);
+ guest_common_default_feature_adjustments(fs);
+
+ sanitise_featureset(fs);
+
+ /*
+ * If the host suffers from RSBA of any form, and the guest can see
+ * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
+ * depending on the visibility of eIBRS.
+ */
+ if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
+ (cpu_has_rsba || cpu_has_rrsba) )
+ {
+ bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
+
+ __set_bit(eibrs ? X86_FEATURE_RRSBA
+ : X86_FEATURE_RSBA, fs);
+ }
+
+ x86_cpu_featureset_to_policy(fs, p);
+ recalculate_xstate(p);
+}
+
+static void __init calculate_hvm_max_policy(void)
+{
+ struct cpu_policy *p = &hvm_max_cpu_policy;
+ uint32_t fs[FSCAPINTS];
+ unsigned int i;
+ const uint32_t *mask;
+
+ *p = host_cpu_policy;
+ x86_cpu_policy_to_featureset(p, fs);
+
+ mask = hvm_hap_supported() ?
+ hvm_hap_max_featuremask : hvm_shadow_max_featuremask;
+
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ fs[i] &= mask[i];
+
+ /*
+ * Xen can provide an (x2)APIC emulation to HVM guests even if the host's
+ * (x2)APIC isn't enabled.
+ */
+ __set_bit(X86_FEATURE_APIC, fs);
+ __set_bit(X86_FEATURE_X2APIC, fs);
+
+ /*
+ * On AMD, PV guests are entirely unable to use SYSENTER as Xen runs in
+ * long mode (and init_amd() has cleared it out of host capabilities), but
+ * HVM guests are able if running in protected mode.
+ */
+ if ( (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) &&
+ raw_cpu_policy.basic.sep )
+ __set_bit(X86_FEATURE_SEP, fs);
+
+ /*
+ * If Xen isn't virtualising MSR_SPEC_CTRL for HVM guests (functional
+ * availability, or admin choice), hide the feature.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_SC_MSR_HVM) )
+ {
+ __clear_bit(X86_FEATURE_IBRSB, fs);
+ __clear_bit(X86_FEATURE_IBRS, fs);
+ }
+
+ /*
+ * With VT-x, some features are only supported by Xen if dedicated
+ * hardware support is also available.
+ */
+ if ( cpu_has_vmx )
+ {
+ if ( !cpu_has_vmx_mpx )
+ __clear_bit(X86_FEATURE_MPX, fs);
+
+ if ( !cpu_has_vmx_xsaves )
+ __clear_bit(X86_FEATURE_XSAVES, fs);
+ }
+
+ guest_common_max_feature_adjustments(fs);
+ guest_common_feature_adjustments(fs);
+
+ sanitise_featureset(fs);
+ x86_cpu_featureset_to_policy(fs, p);
+ recalculate_xstate(p);
+
+ /* It's always possible to emulate CPUID faulting for HVM guests */
+ p->platform_info.cpuid_faulting = true;
+}
+
+static void __init calculate_hvm_def_policy(void)
+{
+ struct cpu_policy *p = &hvm_def_cpu_policy;
+ uint32_t fs[FSCAPINTS];
+ unsigned int i;
+ const uint32_t *mask;
+
+ *p = hvm_max_cpu_policy;
+ x86_cpu_policy_to_featureset(p, fs);
+
+ mask = hvm_hap_supported() ?
+ hvm_hap_def_featuremask : hvm_shadow_def_featuremask;
+
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ fs[i] &= mask[i];
+
+ guest_common_feature_adjustments(fs);
+ guest_common_default_feature_adjustments(fs);
+
+ sanitise_featureset(fs);
+
+ /*
+ * If the host suffers from RSBA of any form, and the guest can see
+ * MSR_ARCH_CAPS, reflect the appropriate RSBA/RRSBA property to the guest
+ * depending on the visibility of eIBRS.
+ */
+ if ( test_bit(X86_FEATURE_ARCH_CAPS, fs) &&
+ (cpu_has_rsba || cpu_has_rrsba) )
+ {
+ bool eibrs = test_bit(X86_FEATURE_EIBRS, fs);
+
+ __set_bit(eibrs ? X86_FEATURE_RRSBA
+ : X86_FEATURE_RSBA, fs);
+ }
+
+ x86_cpu_featureset_to_policy(fs, p);
+ recalculate_xstate(p);
+}
+
+void __init init_guest_cpu_policies(void)
+{
+ calculate_raw_policy();
+ calculate_host_policy();
+
+ if ( IS_ENABLED(CONFIG_PV) )
+ {
+ calculate_pv_max_policy();
+ calculate_pv_def_policy();
+ }
+
+ if ( hvm_enabled )
+ {
+ calculate_hvm_max_policy();
+ calculate_hvm_def_policy();
+ }
+}
+
+int init_domain_cpu_policy(struct domain *d)
+{
+ struct cpu_policy *p = is_pv_domain(d)
+ ? (IS_ENABLED(CONFIG_PV) ? &pv_def_cpu_policy : NULL)
+ : (IS_ENABLED(CONFIG_HVM) ? &hvm_def_cpu_policy : NULL);
+
+ if ( !p )
+ {
+ ASSERT_UNREACHABLE();
+ return -EOPNOTSUPP;
+ }
+
+ p = xmemdup(p);
+ if ( !p )
+ return -ENOMEM;
+
+ d->arch.cpu_policy = p;
+
+ recalculate_cpuid_policy(d);
+
+ return 0;
+}
+
+void recalculate_cpuid_policy(struct domain *d)
+{
+ struct cpu_policy *p = d->arch.cpuid;
+ const struct cpu_policy *max = is_pv_domain(d)
+ ? (IS_ENABLED(CONFIG_PV) ? &pv_max_cpu_policy : NULL)
+ : (IS_ENABLED(CONFIG_HVM) ? &hvm_max_cpu_policy : NULL);
+ uint32_t fs[FSCAPINTS], max_fs[FSCAPINTS];
+ unsigned int i;
+
+ if ( !max )
+ {
+ ASSERT_UNREACHABLE();
+ return;
+ }
+
+ p->x86_vendor = x86_cpuid_lookup_vendor(
+ p->basic.vendor_ebx, p->basic.vendor_ecx, p->basic.vendor_edx);
+
+ p->basic.max_leaf = min(p->basic.max_leaf, max->basic.max_leaf);
+ p->feat.max_subleaf = min(p->feat.max_subleaf, max->feat.max_subleaf);
+ p->extd.max_leaf = 0x80000000 | min(p->extd.max_leaf & 0xffff,
+ ((p->x86_vendor & (X86_VENDOR_AMD |
+ X86_VENDOR_HYGON))
+ ? CPUID_GUEST_NR_EXTD_AMD
+ : CPUID_GUEST_NR_EXTD_INTEL) - 1);
+
+ x86_cpu_policy_to_featureset(p, fs);
+ x86_cpu_policy_to_featureset(max, max_fs);
+
+ if ( is_hvm_domain(d) )
+ {
+ /*
+ * HVM domains using Shadow paging have further restrictions on their
+ * available paging features.
+ */
+ if ( !hap_enabled(d) )
+ {
+ for ( i = 0; i < ARRAY_SIZE(max_fs); i++ )
+ max_fs[i] &= hvm_shadow_max_featuremask[i];
+ }
+
+ /* Hide nested-virt if it hasn't been explicitly configured. */
+ if ( !nestedhvm_enabled(d) )
+ {
+ __clear_bit(X86_FEATURE_VMX, max_fs);
+ __clear_bit(X86_FEATURE_SVM, max_fs);
+ }
+ }
+
+ /*
+ * Allow the toolstack to set HTT, X2APIC and CMP_LEGACY. These bits
+ * affect how to interpret topology information in other cpuid leaves.
+ */
+ __set_bit(X86_FEATURE_HTT, max_fs);
+ __set_bit(X86_FEATURE_X2APIC, max_fs);
+ __set_bit(X86_FEATURE_CMP_LEGACY, max_fs);
+
+ /*
+ * 32bit PV domains can't use any Long Mode features, and cannot use
+ * SYSCALL on non-AMD hardware.
+ */
+ if ( is_pv_32bit_domain(d) )
+ {
+ __clear_bit(X86_FEATURE_LM, max_fs);
+ if ( !(boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) )
+ __clear_bit(X86_FEATURE_SYSCALL, max_fs);
+ }
+
+ /*
+ * ITSC is masked by default (so domains are safe to migrate), but a
+ * toolstack which has configured disable_migrate or vTSC for a domain may
+ * safely select it, and needs a way of doing so.
+ */
+ if ( cpu_has_itsc && (d->disable_migrate || d->arch.vtsc) )
+ __set_bit(X86_FEATURE_ITSC, max_fs);
+
+ /* Clamp the toolstacks choices to reality. */
+ for ( i = 0; i < ARRAY_SIZE(fs); i++ )
+ fs[i] &= max_fs[i];
+
+ if ( p->basic.max_leaf < XSTATE_CPUID )
+ __clear_bit(X86_FEATURE_XSAVE, fs);
+
+ sanitise_featureset(fs);
+
+ /* Fold host's FDP_EXCP_ONLY and NO_FPU_SEL into guest's view. */
+ fs[FEATURESET_7b0] &= ~(cpufeat_mask(X86_FEATURE_FDP_EXCP_ONLY) |
+ cpufeat_mask(X86_FEATURE_NO_FPU_SEL));
+ fs[FEATURESET_7b0] |= (host_cpu_policy.feat._7b0 &
+ (cpufeat_mask(X86_FEATURE_FDP_EXCP_ONLY) |
+ cpufeat_mask(X86_FEATURE_NO_FPU_SEL)));
+
+ x86_cpu_featureset_to_policy(fs, p);
+
+ /* Pass host cacheline size through to guests. */
+ p->basic.clflush_size = max->basic.clflush_size;
+
+ p->extd.maxphysaddr = min(p->extd.maxphysaddr, max->extd.maxphysaddr);
+ p->extd.maxphysaddr = min_t(uint8_t, p->extd.maxphysaddr,
+ paging_max_paddr_bits(d));
+ p->extd.maxphysaddr = max_t(uint8_t, p->extd.maxphysaddr,
+ (p->basic.pae || p->basic.pse36) ? 36 : 32);
+
+ p->extd.maxlinaddr = p->extd.lm ? 48 : 32;
+
+ recalculate_xstate(p);
+ recalculate_misc(p);
+
+ for ( i = 0; i < ARRAY_SIZE(p->cache.raw); ++i )
+ {
+ if ( p->cache.subleaf[i].type >= 1 &&
+ p->cache.subleaf[i].type <= 3 )
+ {
+ /* Subleaf has a valid cache type. Zero reserved fields. */
+ p->cache.raw[i].a &= 0xffffc3ffu;
+ p->cache.raw[i].d &= 0x00000007u;
+ }
+ else
+ {
+ /* Subleaf is not valid. Zero the rest of the union. */
+ zero_leaves(p->cache.raw, i, ARRAY_SIZE(p->cache.raw) - 1);
+ break;
+ }
+ }
+
+ if ( vpmu_mode == XENPMU_MODE_OFF ||
+ ((vpmu_mode & XENPMU_MODE_ALL) && !is_hardware_domain(d)) )
+ p->basic.raw[0xa] = EMPTY_LEAF;
+
+ if ( !p->extd.svm )
+ p->extd.raw[0xa] = EMPTY_LEAF;
+
+ if ( !p->extd.page1gb )
+ p->extd.raw[0x19] = EMPTY_LEAF;
+}
+
+/*
+ * Adjust the CPU policy for dom0. Really, this is "the domain Xen builds
+ * automatically on boot", and might not have the domid 0 (e.g. pvshim).
+ */
+void __init init_dom0_cpuid_policy(struct domain *d)
+{
+ struct cpu_policy *p = d->arch.cpuid;
+
+ /* Dom0 doesn't migrate relative to Xen. Give it ITSC if available. */
+ if ( cpu_has_itsc )
+ p->extd.itsc = true;
+
+ /* Apply dom0-cpuid= command line settings, if provided. */
+ if ( dom0_cpuid_cmdline )
+ {
+ uint32_t fs[FSCAPINTS];
+ unsigned int i;
+
+ x86_cpu_policy_to_featureset(p, fs);
+
+ for ( i = 0; i < ARRAY_SIZE(fs); ++i )
+ {
+ fs[i] |= dom0_enable_feat [i];
+ fs[i] &= ~dom0_disable_feat[i];
+ }
+
+ x86_cpu_featureset_to_policy(fs, p);
+ }
+
+ /*
+ * PV Control domains used to require unfiltered CPUID. This was fixed in
+ * Xen 4.13, but there is an cmdline knob to restore the prior behaviour.
+ *
+ * If the domain is getting unfiltered CPUID, don't let the guest kernel
+ * play with CPUID faulting either, as Xen's CPUID path won't cope.
+ */
+ if ( !opt_dom0_cpuid_faulting && is_control_domain(d) && is_pv_domain(d) )
+ p->platform_info.cpuid_faulting = false;
+
+ recalculate_cpuid_policy(d);
+}
+
+static void __init __maybe_unused build_assertions(void)
+{
+ BUILD_BUG_ON(ARRAY_SIZE(known_features) != FSCAPINTS);
+ BUILD_BUG_ON(ARRAY_SIZE(pv_max_featuremask) != FSCAPINTS);
+ BUILD_BUG_ON(ARRAY_SIZE(hvm_shadow_max_featuremask) != FSCAPINTS);
+ BUILD_BUG_ON(ARRAY_SIZE(hvm_hap_max_featuremask) != FSCAPINTS);
+ BUILD_BUG_ON(ARRAY_SIZE(deep_features) != FSCAPINTS);
+
+ /* Find some more clever allocation scheme if this trips. */
+ BUILD_BUG_ON(sizeof(struct cpu_policy) > PAGE_SIZE);
+
+ BUILD_BUG_ON(sizeof(raw_cpu_policy.basic) !=
+ sizeof(raw_cpu_policy.basic.raw));
+ BUILD_BUG_ON(sizeof(raw_cpu_policy.feat) !=
+ sizeof(raw_cpu_policy.feat.raw));
+ BUILD_BUG_ON(sizeof(raw_cpu_policy.xstate) !=
+ sizeof(raw_cpu_policy.xstate.raw));
+ BUILD_BUG_ON(sizeof(raw_cpu_policy.extd) !=
+ sizeof(raw_cpu_policy.extd.raw));
+}
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/domain.c xen-4.14.6/xen/arch/x86/domain.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/domain.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/domain.c 2023-08-07 14:11:14.000000000 +0200
@@ -64,6 +64,7 @@
#include <xen/numa.h>
#include <xen/iommu.h>
#include <compat/vcpu.h>
+#include <asm/cpu-policy.h>
#include <asm/psr.h>
#include <asm/pv/domain.h>
#include <asm/pv/mm.h>
@@ -534,8 +535,7 @@
d->arch.ctxt_switch = &idle_csw;
- d->arch.cpuid = ZERO_BLOCK_PTR; /* Catch stray misuses. */
- d->arch.msr = ZERO_BLOCK_PTR;
+ d->arch.cpu_policy = ZERO_BLOCK_PTR; /* Catch stray misuses. */
return 0;
}
@@ -588,10 +588,7 @@
goto fail;
paging_initialised = true;
- if ( (rc = init_domain_cpuid_policy(d)) )
- goto fail;
-
- if ( (rc = init_domain_msr_policy(d)) )
+ if ( (rc = init_domain_cpu_policy(d)) )
goto fail;
d->arch.ioport_caps =
@@ -660,8 +657,7 @@
iommu_domain_destroy(d);
cleanup_domain_irq_mapping(d);
free_xenheap_page(d->shared_info);
- xfree(d->arch.cpuid);
- xfree(d->arch.msr);
+ XFREE(d->arch.cpu_policy);
if ( paging_initialised )
paging_final_teardown(d);
free_perdomain_mappings(d);
@@ -675,8 +671,7 @@
hvm_domain_destroy(d);
xfree(d->arch.e820);
- xfree(d->arch.cpuid);
- xfree(d->arch.msr);
+ XFREE(d->arch.cpu_policy);
free_domain_pirqs(d);
if ( !is_idle_domain(d) )
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/domctl.c xen-4.14.6/xen/arch/x86/domctl.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/domctl.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/domctl.c 2023-08-07 14:11:14.000000000 +0200
@@ -35,7 +35,7 @@
#include <asm/xstate.h>
#include <asm/debugger.h>
#include <asm/psr.h>
-#include <asm/cpuid.h>
+#include <asm/cpu-policy.h>
#ifdef CONFIG_GDBSX
static int gdbsx_guest_mem_io(domid_t domid, struct xen_domctl_gdbsx_memio *iop)
@@ -51,7 +51,7 @@
void domain_cpu_policy_changed(struct domain *d)
{
- const struct cpuid_policy *p = d->arch.cpuid;
+ const struct cpu_policy *p = d->arch.cpu_policy;
struct vcpu *v;
if ( is_pv_domain(d) )
@@ -219,40 +219,44 @@
static int update_domain_cpu_policy(struct domain *d,
xen_domctl_cpu_policy_t *xdpc)
{
- struct cpu_policy new = {};
+ struct cpu_policy *new;
const struct cpu_policy *sys = is_pv_domain(d)
- ? &system_policies[XEN_SYSCTL_cpu_policy_pv_max]
- : &system_policies[XEN_SYSCTL_cpu_policy_hvm_max];
+ ? (IS_ENABLED(CONFIG_PV) ? &pv_max_cpu_policy : NULL)
+ : (IS_ENABLED(CONFIG_HVM) ? &hvm_max_cpu_policy : NULL);
struct cpu_policy_errors err = INIT_CPU_POLICY_ERRORS;
int ret = -ENOMEM;
- /* Start by copying the domain's existing policies. */
- if ( !(new.cpuid = xmemdup(d->arch.cpuid)) ||
- !(new.msr = xmemdup(d->arch.msr)) )
+ if ( !sys )
+ {
+ ASSERT_UNREACHABLE();
+ return -EOPNOTSUPP;
+ }
+
+ /* Start by copying the domain's existing policy. */
+ if ( !(new = xmemdup(d->arch.cpu_policy)) )
goto out;
/* Merge the toolstack provided data. */
if ( (ret = x86_cpuid_copy_from_buffer(
- new.cpuid, xdpc->cpuid_policy, xdpc->nr_leaves,
+ new, xdpc->leaves, xdpc->nr_leaves,
&err.leaf, &err.subleaf)) ||
(ret = x86_msr_copy_from_buffer(
- new.msr, xdpc->msr_policy, xdpc->nr_msrs, &err.msr)) )
+ new, xdpc->msrs, xdpc->nr_msrs, &err.msr)) )
goto out;
/* Trim any newly-stale out-of-range leaves. */
- x86_cpuid_policy_clear_out_of_range_leaves(new.cpuid);
+ x86_cpu_policy_clear_out_of_range_leaves(new);
/* Audit the combined dataset. */
- ret = x86_cpu_policies_are_compatible(sys, &new, &err);
+ ret = x86_cpu_policies_are_compatible(sys, new, &err);
if ( ret )
goto out;
/*
- * Audit was successful. Replace existing policies, leaving the old
- * policies to be freed.
+ * Audit was successful. Replace the existing policy, leaving the old one
+ * to be freed.
*/
- SWAP(new.cpuid, d->arch.cpuid);
- SWAP(new.msr, d->arch.msr);
+ SWAP(new, d->arch.cpu_policy);
/* TODO: Drop when x86_cpu_policies_are_compatible() is completed. */
recalculate_cpuid_policy(d);
@@ -261,9 +265,8 @@
domain_cpu_policy_changed(d);
out:
- /* Free whichever cpuid/msr structs are not installed in struct domain. */
- xfree(new.cpuid);
- xfree(new.msr);
+ /* Free whichever struct is not installed in struct domain. */
+ xfree(new);
if ( ret )
{
@@ -1451,20 +1454,20 @@
case XEN_DOMCTL_get_cpu_policy:
/* Process the CPUID leaves. */
- if ( guest_handle_is_null(domctl->u.cpu_policy.cpuid_policy) )
+ if ( guest_handle_is_null(domctl->u.cpu_policy.leaves) )
domctl->u.cpu_policy.nr_leaves = CPUID_MAX_SERIALISED_LEAVES;
else if ( (ret = x86_cpuid_copy_to_buffer(
- d->arch.cpuid,
- domctl->u.cpu_policy.cpuid_policy,
+ d->arch.cpu_policy,
+ domctl->u.cpu_policy.leaves,
&domctl->u.cpu_policy.nr_leaves)) )
break;
/* Process the MSR entries. */
- if ( guest_handle_is_null(domctl->u.cpu_policy.msr_policy) )
+ if ( guest_handle_is_null(domctl->u.cpu_policy.msrs) )
domctl->u.cpu_policy.nr_msrs = MSR_MAX_SERIALISED_ENTRIES;
else if ( (ret = x86_msr_copy_to_buffer(
- d->arch.msr,
- domctl->u.cpu_policy.msr_policy,
+ d->arch.cpu_policy,
+ domctl->u.cpu_policy.msrs,
&domctl->u.cpu_policy.nr_msrs)) )
break;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/emulate.c xen-4.14.6/xen/arch/x86/hvm/emulate.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/emulate.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/hvm/emulate.c 2023-08-07 14:11:14.000000000 +0200
@@ -2775,7 +2775,7 @@
void hvm_emulate_one_vm_event(enum emul_kind kind, unsigned int trapnr,
unsigned int errcode)
{
- struct hvm_emulate_ctxt ctx = {{ 0 }};
+ struct hvm_emulate_ctxt ctx = {};
int rc;
hvm_emulate_init_once(&ctx, NULL, guest_cpu_user_regs());
@@ -2850,7 +2850,7 @@
hvmemul_ctxt->validate = validate;
hvmemul_ctxt->ctxt.regs = regs;
- hvmemul_ctxt->ctxt.cpuid = curr->domain->arch.cpuid;
+ hvmemul_ctxt->ctxt.cpu_policy = curr->domain->arch.cpu_policy;
hvmemul_ctxt->ctxt.force_writeback = true;
}
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/hvm.c xen-4.14.6/xen/arch/x86/hvm/hvm.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/hvm.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/hvm/hvm.c 2023-08-07 14:11:14.000000000 +0200
@@ -77,7 +77,6 @@
#include <public/memory.h>
#include <public/vm_event.h>
#include <public/arch-x86/cpuid.h>
-#include <asm/cpuid.h>
#include <compat/hvm/hvm_op.h>
@@ -937,7 +936,7 @@
signed int cr0_pg)
{
const struct domain *d = v->domain;
- const struct cpuid_policy *p = d->arch.cpuid;
+ const struct cpu_policy *p = d->arch.cpu_policy;
if ( value & ~EFER_KNOWN_MASK )
return "Unknown bits set";
@@ -974,7 +973,7 @@
/* These bits in CR4 can be set by the guest. */
unsigned long hvm_cr4_guest_valid_bits(const struct domain *d, bool restore)
{
- const struct cpuid_policy *p = d->arch.cpuid;
+ const struct cpu_policy *p = d->arch.cpu_policy;
bool mce, vmxe;
/* Logic broken out simply to aid readability below. */
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/svm/svm.c xen-4.14.6/xen/arch/x86/hvm/svm/svm.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/svm/svm.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/hvm/svm/svm.c 2023-08-07 14:11:14.000000000 +0200
@@ -593,7 +593,7 @@
{
struct svm_vcpu *svm = &v->arch.hvm.svm;
struct vmcb_struct *vmcb = svm->vmcb;
- const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ const struct cpu_policy *cp = v->domain->arch.cpu_policy;
u32 bitmap = vmcb_get_exception_intercepts(vmcb);
if ( opt_hvm_fep ||
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/vlapic.c xen-4.14.6/xen/arch/x86/hvm/vlapic.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/vlapic.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/hvm/vlapic.c 2023-08-07 14:11:14.000000000 +0200
@@ -1083,7 +1083,7 @@
int guest_wrmsr_apic_base(struct vcpu *v, uint64_t value)
{
- const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ const struct cpu_policy *cp = v->domain->arch.cpu_policy;
struct vlapic *vlapic = vcpu_vlapic(v);
if ( !has_vlapic(v->domain) )
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/vmx/vmx.c xen-4.14.6/xen/arch/x86/hvm/vmx/vmx.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/hvm/vmx/vmx.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/hvm/vmx/vmx.c 2023-08-07 14:11:14.000000000 +0200
@@ -557,7 +557,7 @@
static void vmx_cpuid_policy_changed(struct vcpu *v)
{
- const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ const struct cpu_policy *cp = v->domain->arch.cpu_policy;
int rc = 0;
if ( opt_hvm_fep ||
@@ -2464,8 +2464,6 @@
*/
static bool __init has_if_pschange_mc(void)
{
- uint64_t caps = 0;
-
/*
* If we are virtualised, there is nothing we can do. Our EPT tables are
* shadowed by our hypervisor, and not walked by hardware.
@@ -2473,10 +2471,8 @@
if ( cpu_has_hypervisor )
return false;
- if ( cpu_has_arch_caps )
- rdmsrl(MSR_ARCH_CAPABILITIES, caps);
-
- if ( caps & ARCH_CAPS_IF_PSCHANGE_MC_NO )
+ /* Hardware reports itself as fixed. */
+ if ( cpu_has_if_pschange_mc_no )
return false;
/*
@@ -3258,7 +3254,7 @@
static int vmx_msr_write_intercept(unsigned int msr, uint64_t msr_content)
{
struct vcpu *v = current;
- const struct cpuid_policy *cp = v->domain->arch.cpuid;
+ const struct cpu_policy *cp = v->domain->arch.cpu_policy;
HVM_DBG_LOG(DBG_LEVEL_MSR, "ecx=%#x, msr_value=%#"PRIx64, msr, msr_content);
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/Makefile xen-4.14.6/xen/arch/x86/Makefile
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/Makefile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/Makefile 2023-08-07 14:11:14.000000000 +0200
@@ -16,6 +16,7 @@
obj-bin-y += bzimage.init.o
obj-bin-y += clear_page.o
obj-bin-y += copy_page.o
+obj-y += cpu-policy.o
obj-y += cpuid.o
obj-$(CONFIG_PV) += compat.o x86_64/compat.o
obj-$(CONFIG_KEXEC) += crash.o
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/mm/shadow/hvm.c xen-4.14.6/xen/arch/x86/mm/shadow/hvm.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/mm/shadow/hvm.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/mm/shadow/hvm.c 2023-08-07 14:11:14.000000000 +0200
@@ -322,7 +322,7 @@
memset(sh_ctxt, 0, sizeof(*sh_ctxt));
sh_ctxt->ctxt.regs = regs;
- sh_ctxt->ctxt.cpuid = curr->domain->arch.cpuid;
+ sh_ctxt->ctxt.cpu_policy = curr->domain->arch.cpu_policy;
sh_ctxt->ctxt.lma = hvm_long_mode_active(curr);
/* Segment cache initialisation. Primed with CS. */
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/msr.c xen-4.14.6/xen/arch/x86/msr.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/msr.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/msr.c 2023-08-07 14:11:14.000000000 +0200
@@ -24,6 +24,7 @@
#include <xen/nospec.h>
#include <xen/sched.h>
+#include <asm/cpu-policy.h>
#include <asm/debugreg.h>
#include <asm/hvm/viridian.h>
#include <asm/msr.h>
@@ -34,124 +35,6 @@
DEFINE_PER_CPU(uint32_t, tsc_aux);
-struct msr_policy __read_mostly raw_msr_policy,
- __read_mostly host_msr_policy;
-#ifdef CONFIG_PV
-struct msr_policy __read_mostly pv_max_msr_policy;
-struct msr_policy __read_mostly pv_def_msr_policy;
-#endif
-#ifdef CONFIG_HVM
-struct msr_policy __read_mostly hvm_max_msr_policy;
-struct msr_policy __read_mostly hvm_def_msr_policy;
-#endif
-
-static void __init calculate_raw_policy(void)
-{
- /* 0x000000ce MSR_INTEL_PLATFORM_INFO */
- /* Was already added by probe_cpuid_faulting() */
-}
-
-static void __init calculate_host_policy(void)
-{
- struct msr_policy *mp = &host_msr_policy;
-
- *mp = raw_msr_policy;
-
- /* 0x000000ce MSR_INTEL_PLATFORM_INFO */
- /* probe_cpuid_faulting() sanity checks presence of MISC_FEATURES_ENABLES */
- mp->platform_info.cpuid_faulting = cpu_has_cpuid_faulting;
-}
-
-static void __init calculate_pv_max_policy(void)
-{
- struct msr_policy *mp = &pv_max_msr_policy;
-
- *mp = host_msr_policy;
-}
-
-static void __init calculate_pv_def_policy(void)
-{
- struct msr_policy *mp = &pv_def_msr_policy;
-
- *mp = pv_max_msr_policy;
-}
-
-static void __init calculate_hvm_max_policy(void)
-{
- struct msr_policy *mp = &hvm_max_msr_policy;
-
- *mp = host_msr_policy;
-
- /* It's always possible to emulate CPUID faulting for HVM guests */
- mp->platform_info.cpuid_faulting = true;
-}
-
-static void __init calculate_hvm_def_policy(void)
-{
- struct msr_policy *mp = &hvm_def_msr_policy;
-
- *mp = hvm_max_msr_policy;
-}
-
-void __init init_guest_msr_policy(void)
-{
- calculate_raw_policy();
- calculate_host_policy();
-
- if ( IS_ENABLED(CONFIG_PV) )
- {
- calculate_pv_max_policy();
- calculate_pv_def_policy();
- }
-
- if ( hvm_enabled )
- {
- calculate_hvm_max_policy();
- calculate_hvm_def_policy();
- }
-}
-
-int init_domain_msr_policy(struct domain *d)
-{
- struct msr_policy *mp = is_pv_domain(d)
- ? (IS_ENABLED(CONFIG_PV) ? &pv_def_msr_policy : NULL)
- : (IS_ENABLED(CONFIG_HVM) ? &hvm_def_msr_policy : NULL);
-
- if ( !mp )
- {
- ASSERT_UNREACHABLE();
- return -EOPNOTSUPP;
- }
-
- mp = xmemdup(mp);
- if ( !mp )
- return -ENOMEM;
-
- /* See comment in ctxt_switch_levelling() */
- if ( !opt_dom0_cpuid_faulting && is_control_domain(d) && is_pv_domain(d) )
- mp->platform_info.cpuid_faulting = false;
-
- /*
- * Expose the "hardware speculation behaviour" bits of ARCH_CAPS to dom0,
- * so dom0 can turn off workarounds as appropriate. Temporary, until the
- * domain policy logic gains a better understanding of MSRs.
- */
- if ( is_hardware_domain(d) && cpu_has_arch_caps )
- {
- uint64_t val;
-
- rdmsrl(MSR_ARCH_CAPABILITIES, val);
-
- mp->arch_caps.raw = val &
- (ARCH_CAPS_RDCL_NO | ARCH_CAPS_IBRS_ALL | ARCH_CAPS_RSBA |
- ARCH_CAPS_SSB_NO | ARCH_CAPS_MDS_NO | ARCH_CAPS_TAA_NO);
- }
-
- d->arch.msr = mp;
-
- return 0;
-}
-
int init_vcpu_msr_policy(struct vcpu *v)
{
struct vcpu_msrs *msrs = xzalloc(struct vcpu_msrs);
@@ -168,8 +51,7 @@
{
const struct vcpu *curr = current;
const struct domain *d = v->domain;
- const struct cpuid_policy *cp = d->arch.cpuid;
- const struct msr_policy *mp = d->arch.msr;
+ const struct cpu_policy *cp = d->arch.cpu_policy;
const struct vcpu_msrs *msrs = v->arch.msrs;
int ret = X86EMUL_OKAY;
@@ -241,13 +123,13 @@
goto get_reg;
case MSR_INTEL_PLATFORM_INFO:
- *val = mp->platform_info.raw;
+ *val = cp->platform_info.raw;
break;
case MSR_ARCH_CAPABILITIES:
if ( !cp->feat.arch_caps )
goto gp_fault;
- *val = mp->arch_caps.raw;
+ *val = cp->arch_caps.raw;
break;
case MSR_INTEL_MISC_FEATURES_ENABLES:
@@ -365,7 +247,7 @@
* separate CPUID features for this functionality, but only set will be
* active.
*/
-uint64_t msr_spec_ctrl_valid_bits(const struct cpuid_policy *cp)
+uint64_t msr_spec_ctrl_valid_bits(const struct cpu_policy *cp)
{
bool ssbd = cp->feat.ssbd || cp->extd.amd_ssbd;
bool psfd = cp->feat.intel_psfd || cp->extd.psfd;
@@ -384,8 +266,7 @@
{
const struct vcpu *curr = current;
struct domain *d = v->domain;
- const struct cpuid_policy *cp = d->arch.cpuid;
- const struct msr_policy *mp = d->arch.msr;
+ const struct cpu_policy *cp = d->arch.cpu_policy;
struct vcpu_msrs *msrs = v->arch.msrs;
int ret = X86EMUL_OKAY;
@@ -435,7 +316,7 @@
* for backwards compatiblity, the OS should write 0 to it before
* trying to access the current microcode version.
*/
- if ( d->arch.cpuid->x86_vendor != X86_VENDOR_INTEL || val != 0 )
+ if ( cp->x86_vendor != X86_VENDOR_INTEL || val != 0 )
goto gp_fault;
break;
@@ -445,7 +326,7 @@
* to AMD CPUs as well (at least the architectural/CPUID part does).
*/
if ( is_pv_domain(d) ||
- d->arch.cpuid->x86_vendor != X86_VENDOR_AMD )
+ cp->x86_vendor != X86_VENDOR_AMD )
goto gp_fault;
break;
@@ -457,7 +338,7 @@
* by any CPUID bit.
*/
if ( is_pv_domain(d) ||
- d->arch.cpuid->x86_vendor != X86_VENDOR_INTEL )
+ cp->x86_vendor != X86_VENDOR_INTEL )
goto gp_fault;
break;
@@ -471,7 +352,10 @@
if ( !cp->feat.ibrsb && !cp->extd.ibpb )
goto gp_fault; /* MSR available? */
- if ( val & ~PRED_CMD_IBPB )
+ rsvd = ~(PRED_CMD_IBPB |
+ (cp->extd.sbpb ? PRED_CMD_SBPB : 0));
+
+ if ( val & rsvd )
goto gp_fault; /* Rsvd bit set? */
if ( v == curr )
@@ -494,7 +378,7 @@
bool old_cpuid_faulting = msrs->misc_features_enables.cpuid_faulting;
rsvd = ~0ull;
- if ( mp->platform_info.cpuid_faulting )
+ if ( cp->platform_info.cpuid_faulting )
rsvd &= ~MSR_MISC_FEATURES_CPUID_FAULTING;
if ( val & rsvd )
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/domain.c xen-4.14.6/xen/arch/x86/pv/domain.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/domain.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/pv/domain.c 2023-08-07 14:11:14.000000000 +0200
@@ -10,6 +10,7 @@
#include <xen/param.h>
#include <xen/sched.h>
+#include <asm/cpu-policy.h>
#include <asm/cpufeature.h>
#include <asm/invpcid.h>
#include <asm/spec_ctrl.h>
@@ -151,7 +152,7 @@
unsigned long pv_fixup_guest_cr4(const struct vcpu *v, unsigned long cr4)
{
- const struct cpuid_policy *p = v->domain->arch.cpuid;
+ const struct cpu_policy *p = v->domain->arch.cpu_policy;
/* Discard attempts to set guest controllable bits outside of the policy. */
cr4 &= ~((p->basic.tsc ? 0 : X86_CR4_TSD) |
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/emul-priv-op.c xen-4.14.6/xen/arch/x86/pv/emul-priv-op.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/emul-priv-op.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/pv/emul-priv-op.c 2023-08-07 14:11:14.000000000 +0200
@@ -1254,7 +1254,7 @@
struct domain *currd = curr->domain;
struct priv_op_ctxt ctxt = {
.ctxt.regs = regs,
- .ctxt.cpuid = currd->arch.cpuid,
+ .ctxt.cpu_policy = currd->arch.cpu_policy,
.ctxt.lma = !is_pv_32bit_domain(currd),
};
int rc;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/ro-page-fault.c xen-4.14.6/xen/arch/x86/pv/ro-page-fault.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/pv/ro-page-fault.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/pv/ro-page-fault.c 2023-08-07 14:11:14.000000000 +0200
@@ -340,7 +340,7 @@
unsigned int addr_size = is_pv_32bit_domain(currd) ? 32 : BITS_PER_LONG;
struct x86_emulate_ctxt ctxt = {
.regs = regs,
- .cpuid = currd->arch.cpuid,
+ .cpu_policy = currd->arch.cpu_policy,
.addr_size = addr_size,
.sp_size = addr_size,
.lma = addr_size > 32,
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/setup.c xen-4.14.6/xen/arch/x86/setup.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/setup.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/setup.c 2023-08-07 14:11:14.000000000 +0200
@@ -49,7 +49,7 @@
#include <asm/nmi.h>
#include <asm/alternative.h>
#include <asm/mc146818rtc.h>
-#include <asm/cpuid.h>
+#include <asm/cpu-policy.h>
#include <asm/spec_ctrl.h>
#include <asm/guest.h>
#include <asm/microcode.h>
@@ -770,6 +770,7 @@
};
struct domain *d;
char *cmdline;
+ domid_t domid;
if ( opt_dom0_pvh )
{
@@ -784,10 +785,16 @@
if ( iommu_enabled )
dom0_cfg.flags |= XEN_DOMCTL_CDF_iommu;
- /* Create initial domain 0. */
- d = domain_create(get_initial_domain_id(), &dom0_cfg, !pv_shim);
- if ( IS_ERR(d) || (alloc_dom0_vcpu0(d) == NULL) )
- panic("Error creating domain 0\n");
+ /* Create initial domain. Not d0 for pvshim. */
+ domid = get_initial_domain_id();
+ d = domain_create(domid, &dom0_cfg, !pv_shim);
+ if ( IS_ERR(d) )
+ panic("Error creating d%u: %ld\n", domid, PTR_ERR(d));
+
+ init_dom0_cpuid_policy(d);
+
+ if ( alloc_dom0_vcpu0(d) == NULL )
+ panic("Error creating d%uv0\n", domid);
/* Grab the DOM0 command line. */
cmdline = image->string ? __va(image->string) : NULL;
@@ -1937,8 +1944,7 @@
if ( !tboot_protect_mem_regions() )
panic("Could not protect TXT memory regions\n");
- init_guest_cpuid();
- init_guest_msr_policy();
+ init_guest_cpu_policies();
if ( xen_cpuidle )
xen_processor_pmbits |= XEN_PROCESSOR_PM_CX;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/spec_ctrl.c xen-4.14.6/xen/arch/x86/spec_ctrl.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/spec_ctrl.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/spec_ctrl.c 2023-08-07 14:11:14.000000000 +0200
@@ -77,6 +77,7 @@
static int8_t __initdata opt_srb_lock = -1;
static bool __initdata opt_unpriv_mmio;
static bool __read_mostly opt_fb_clear_mmio;
+static int8_t __initdata opt_gds_mit = -1;
static int __init parse_spec_ctrl(const char *s)
{
@@ -130,6 +131,7 @@
opt_branch_harden = false;
opt_srb_lock = 0;
opt_unpriv_mmio = false;
+ opt_gds_mit = 0;
}
else if ( val > 0 )
rc = -EINVAL;
@@ -280,6 +282,8 @@
opt_srb_lock = val;
else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 )
opt_unpriv_mmio = val;
+ else if ( (val = parse_boolean("gds-mit", s, ss)) >= 0 )
+ opt_gds_mit = val;
else
rc = -EINVAL;
@@ -293,12 +297,10 @@
int8_t __read_mostly opt_xpti_hwdom = -1;
int8_t __read_mostly opt_xpti_domu = -1;
-static __init void xpti_init_default(uint64_t caps)
+static __init void xpti_init_default(void)
{
- if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) )
- caps = ARCH_CAPS_RDCL_NO;
-
- if ( caps & ARCH_CAPS_RDCL_NO )
+ if ( (boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON)) ||
+ cpu_has_rdcl_no )
{
if ( opt_xpti_hwdom < 0 )
opt_xpti_hwdom = 0;
@@ -401,9 +403,10 @@
}
custom_param("pv-l1tf", parse_pv_l1tf);
-static void __init print_details(enum ind_thunk thunk, uint64_t caps)
+static void __init print_details(enum ind_thunk thunk)
{
- unsigned int _7d0 = 0, _7d2 = 0, e8b = 0, max = 0, tmp;
+ unsigned int _7d0 = 0, _7d2 = 0, e8b = 0, e21a = 0, max = 0, tmp;
+ uint64_t caps = 0;
/* Collect diagnostics about available mitigations. */
if ( boot_cpu_data.cpuid_level >= 7 )
@@ -412,6 +415,10 @@
cpuid_count(7, 2, &tmp, &tmp, &tmp, &_7d2);
if ( boot_cpu_data.extended_cpuid_level >= 0x80000008 )
cpuid(0x80000008, &tmp, &e8b, &tmp, &tmp);
+ if ( boot_cpu_data.extended_cpuid_level >= 0x80000021 )
+ cpuid(0x80000021, &e21a, &tmp, &tmp, &tmp);
+ if ( cpu_has_arch_caps )
+ rdmsrl(MSR_ARCH_CAPABILITIES, caps);
printk("Speculative mitigation facilities:\n");
@@ -419,10 +426,11 @@
* Hardware read-only information, stating immunity to certain issues, or
* suggestions of which mitigation to use.
*/
- printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
(caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "",
- (caps & ARCH_CAPS_IBRS_ALL) ? " IBRS_ALL" : "",
+ (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "",
(caps & ARCH_CAPS_RSBA) ? " RSBA" : "",
+ (caps & ARCH_CAPS_RRSBA) ? " RRSBA" : "",
(caps & ARCH_CAPS_SKIP_L1DFL) ? " SKIP_L1DFL" : "",
(e8b & cpufeat_mask(X86_FEATURE_SSB_NO)) ||
(caps & ARCH_CAPS_SSB_NO) ? " SSB_NO" : "",
@@ -431,15 +439,20 @@
(caps & ARCH_CAPS_SBDR_SSDP_NO) ? " SBDR_SSDP_NO" : "",
(caps & ARCH_CAPS_FBSDP_NO) ? " FBSDP_NO" : "",
(caps & ARCH_CAPS_PSDP_NO) ? " PSDP_NO" : "",
+ (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "",
+ (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "",
+ (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "",
(e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS_SAME_MODE)) ? " IBRS_SAME_MODE" : "",
(e8b & cpufeat_mask(X86_FEATURE_BTC_NO)) ? " BTC_NO" : "",
- (e8b & cpufeat_mask(X86_FEATURE_IBPB_RET)) ? " IBPB_RET" : "");
+ (e8b & cpufeat_mask(X86_FEATURE_IBPB_RET)) ? " IBPB_RET" : "",
+ (e21a & cpufeat_mask(X86_FEATURE_IBPB_BRTYPE)) ? " IBPB_BRTYPE" : "",
+ (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : "");
/* Hardware features which need driving to mitigate issues. */
- printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
(e8b & cpufeat_mask(X86_FEATURE_IBPB)) ||
(_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "",
(e8b & cpufeat_mask(X86_FEATURE_IBRS)) ||
@@ -455,8 +468,9 @@
(_7d0 & cpufeat_mask(X86_FEATURE_SRBDS_CTRL)) ? " SRBDS_CTRL" : "",
(e8b & cpufeat_mask(X86_FEATURE_VIRT_SSBD)) ? " VIRT_SSBD" : "",
(caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "",
- (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "",
- (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "");
+ (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "",
+ (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "",
+ (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : "");
/* Compiled-in support which pertains to mitigations. */
if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) )
@@ -585,10 +599,14 @@
return false;
}
-/* Calculate whether Retpoline is known-safe on this CPU. */
-static bool __init retpoline_safe(uint64_t caps)
+/*
+ * Calculate whether Retpoline is known-safe on this CPU. Fix up the
+ * RSBA/RRSBA bits as necessary.
+ */
+static bool __init retpoline_calculations(void)
{
unsigned int ucode_rev = this_cpu(cpu_sig).rev;
+ bool safe = false;
if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) )
return true;
@@ -598,14 +616,92 @@
return false;
/*
- * RSBA may be set by a hypervisor to indicate that we may move to a
- * processor which isn't retpoline-safe.
+ * The meaning of the RSBA and RRSBA bits have evolved over time. The
+ * agreed upon meaning at the time of writing (May 2023) is thus:
*
+ * - RSBA (RSB Alternative) means that an RSB may fall back to an
+ * alternative predictor on underflow. Skylake uarch and later all have
+ * this property. Broadwell too, when running microcode versions prior
+ * to Jan 2018.
+ *
+ * - All eIBRS-capable processors suffer RSBA, but eIBRS also introduces
+ * tagging of predictions with the mode in which they were learned. So
+ * when eIBRS is active, RSBA becomes RRSBA (Restricted RSBA).
+ *
+ * - CPUs are not expected to enumerate both RSBA and RRSBA.
+ *
+ * Some parts (Broadwell) are not expected to ever enumerate this
+ * behaviour directly. Other parts have differing enumeration with
+ * microcode version. Fix up Xen's idea, so we can advertise them safely
+ * to guests, and so toolstacks can level a VM safety for migration.
+ *
+ * The following states exist:
+ *
+ * | | RSBA | EIBRS | RRSBA | Notes | Action (in principle) |
+ * |---+------+-------+-------+--------------------+-----------------------|
+ * | 1 | 0 | 0 | 0 | OK (older parts) | Maybe +RSBA |
+ * | 2 | 0 | 0 | 1 | Broken | (+RSBA, -RRSBA) |
+ * | 3 | 0 | 1 | 0 | OK (pre-Aug ucode) | +RRSBA |
+ * | 4 | 0 | 1 | 1 | OK | |
+ * | 5 | 1 | 0 | 0 | OK | |
+ * | 6 | 1 | 0 | 1 | Broken | (-RRSBA) |
+ * | 7 | 1 | 1 | 0 | Broken | (-RSBA, +RRSBA) |
+ * | 8 | 1 | 1 | 1 | Broken | (-RSBA) |
+ *
+ * However, we don't need perfect adherence to the spec. We only need
+ * RSBA || RRSBA to indicate "alternative predictors potentially in use".
+ * Rows 1 & 3 are fixed up by later logic, as they're known configurations
+ * which exist in the world.
+ *
+ * Complain loudly at the broken cases. They're safe for Xen to use (so we
+ * don't attempt to correct), and may or may not exist in reality, but if
+ * we ever encounter them in practice, something is wrong and needs
+ * further investigation.
+ */
+ if ( cpu_has_eibrs ? cpu_has_rsba /* Rows 7, 8 */
+ : cpu_has_rrsba /* Rows 2, 6 */ )
+ {
+ printk(XENLOG_ERR
+ "FIRMWARE BUG: CPU %02x-%02x-%02x, ucode 0x%08x: RSBA %u, EIBRS %u, RRSBA %u\n",
+ boot_cpu_data.x86, boot_cpu_data.x86_model,
+ boot_cpu_data.x86_mask, ucode_rev,
+ cpu_has_rsba, cpu_has_eibrs, cpu_has_rrsba);
+ add_taint(TAINT_CPU_OUT_OF_SPEC);
+ }
+
+ /*
* Processors offering Enhanced IBRS are not guarenteed to be
* repoline-safe.
*/
- if ( caps & (ARCH_CAPS_RSBA | ARCH_CAPS_IBRS_ALL) )
+ if ( cpu_has_eibrs )
+ {
+ /*
+ * Prior to the August 2023 microcode, many eIBRS-capable parts did
+ * not enumerate RRSBA.
+ */
+ if ( !cpu_has_rrsba )
+ setup_force_cpu_cap(X86_FEATURE_RRSBA);
+
return false;
+ }
+
+ /*
+ * RSBA is explicitly enumerated in some cases, but may also be set by a
+ * hypervisor to indicate that we may move to a processor which isn't
+ * retpoline-safe.
+ */
+ if ( cpu_has_rsba )
+ return false;
+
+ /*
+ * At this point, we've filtered all the legal RSBA || RRSBA cases (or the
+ * known non-ideal cases). If ARCH_CAPS is visible, trust the absence of
+ * RSBA || RRSBA. There's no known microcode which advertises ARCH_CAPS
+ * without RSBA or EIBRS, and if we're virtualised we can't rely the model
+ * check anyway.
+ */
+ if ( cpu_has_arch_caps )
+ return true;
switch ( boot_cpu_data.x86_model )
{
@@ -626,29 +722,31 @@
case 0x3f: /* Haswell EX/EP */
case 0x45: /* Haswell D */
case 0x46: /* Haswell H */
- return true;
+ safe = true;
+ break;
/*
* Broadwell processors are retpoline-safe after specific microcode
* versions.
*/
case 0x3d: /* Broadwell */
- return ucode_rev >= 0x2a;
+ safe = ucode_rev >= 0x2a; break;
case 0x47: /* Broadwell H */
- return ucode_rev >= 0x1d;
+ safe = ucode_rev >= 0x1d; break;
case 0x4f: /* Broadwell EP/EX */
- return ucode_rev >= 0xb000021;
+ safe = ucode_rev >= 0xb000021; break;
case 0x56: /* Broadwell D */
switch ( boot_cpu_data.x86_mask )
{
- case 2: return ucode_rev >= 0x15;
- case 3: return ucode_rev >= 0x7000012;
- case 4: return ucode_rev >= 0xf000011;
- case 5: return ucode_rev >= 0xe000009;
+ case 2: safe = ucode_rev >= 0x15; break;
+ case 3: safe = ucode_rev >= 0x7000012; break;
+ case 4: safe = ucode_rev >= 0xf000011; break;
+ case 5: safe = ucode_rev >= 0xe000009; break;
default:
printk("Unrecognised CPU stepping %#x - assuming not reptpoline safe\n",
boot_cpu_data.x86_mask);
- return false;
+ safe = false;
+ break;
}
break;
@@ -662,7 +760,8 @@
case 0x67: /* Cannonlake? */
case 0x8e: /* Kabylake M */
case 0x9e: /* Kabylake D */
- return false;
+ safe = false;
+ break;
/*
* Atom processors before Goldmont Plus/Gemini Lake are retpoline-safe.
@@ -681,13 +780,26 @@
case 0x5c: /* Goldmont */
case 0x5f: /* Denverton */
case 0x85: /* Knights Mill */
- return true;
+ safe = true;
+ break;
default:
printk("Unrecognised CPU model %#x - assuming not reptpoline safe\n",
boot_cpu_data.x86_model);
- return false;
+ safe = false;
+ break;
}
+
+ if ( !safe )
+ {
+ /*
+ * Note: the eIBRS-capable parts are filtered out earlier, so the
+ * remainder here are the ones which suffer RSBA behaviour.
+ */
+ setup_force_cpu_cap(X86_FEATURE_RSBA);
+ }
+
+ return safe;
}
/* Calculate whether this CPU speculates past #NM */
@@ -766,8 +878,67 @@
}
}
+static void __init srso_calculations(bool hw_smt_enabled)
+{
+ if ( !(boot_cpu_data.x86_vendor &
+ (X86_VENDOR_AMD | X86_VENDOR_HYGON)) )
+ return;
+
+ /*
+ * If virtualised, none of these heuristics are safe. Trust the
+ * hypervisor completely.
+ */
+ if ( cpu_has_hypervisor )
+ return;
+
+ if ( boot_cpu_data.x86 == 0x19 )
+ {
+ /*
+ * We could have a table of models/microcode revisions. ...or we
+ * could just look for the new feature added.
+ */
+ if ( wrmsr_safe(MSR_PRED_CMD, PRED_CMD_SBPB) == 0 )
+ {
+ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+ setup_force_cpu_cap(X86_FEATURE_SBPB);
+ }
+ else
+ printk(XENLOG_WARNING
+ "Vulnerable to SRSO, without suitable microcode to mitigate\n");
+ }
+ else if ( boot_cpu_data.x86 < 0x19 )
+ {
+ /*
+ * Zen1/2 (which have the IBPB microcode) have IBPB_BRTYPE behaviour
+ * already.
+ *
+ * Older CPUs are unknown, but their IBPB likely does flush branch
+ * types too. As we're synthesising for the benefit of guests, go
+ * with the likely option - this avoids VMs running on e.g. a Zen3
+ * thinking there's no SRSO mitigation available because it may
+ * migrate to e.g. a Bulldozer.
+ */
+ if ( boot_cpu_has(X86_FEATURE_IBPB) )
+ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+ }
+
+ /*
+ * In single-thread mode on Zen1/2, microarchitectural limits prevent SRSO
+ * attacks from being effective. Synthesise SRSO_NO if SMT is disabled in
+ * hardware.
+ *
+ * Booting with smt=0, or using xen-hptool should be effective too, but
+ * they can be altered at runtime so it's not safe to presume SRSO_NO.
+ */
+ if ( !hw_smt_enabled &&
+ (boot_cpu_data.x86 == 0x17 || boot_cpu_data.x86 == 0x18) )
+ setup_force_cpu_cap(X86_FEATURE_SRSO_NO);
+}
+
static void __init ibpb_calculations(void)
{
+ bool def_ibpb_entry = false;
+
/* Check we have hardware IBPB support before using it... */
if ( !boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBPB) )
{
@@ -776,28 +947,37 @@
return;
}
- /*
- * AMD/Hygon CPUs to date (June 2022) don't flush the the RAS. Future
- * CPUs are expected to enumerate IBPB_RET when this has been fixed.
- * Until then, cover the difference with the software sequence.
- */
- if ( boot_cpu_has(X86_FEATURE_IBPB) && !boot_cpu_has(X86_FEATURE_IBPB_RET) )
- setup_force_cpu_cap(X86_BUG_IBPB_NO_RET);
+ if ( boot_cpu_data.x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON) )
+ {
+ /*
+ * AMD/Hygon CPUs to date (June 2022) don't flush the RAS. Future
+ * CPUs are expected to enumerate IBPB_RET when this has been fixed.
+ * Until then, cover the difference with the software sequence.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_IBPB_RET) )
+ setup_force_cpu_cap(X86_BUG_IBPB_NO_RET);
+
+ /*
+ * AMD/Hygon CPUs up to and including Zen2 suffer from Branch Type
+ * Confusion. Mitigate with IBPB-on-entry.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_BTC_NO) )
+ def_ibpb_entry = true;
+
+ /*
+ * Further to BTC, Zen3/4 CPUs suffer from Speculative Return Stack
+ * Overflow in most configurations. Mitigate with IBPB-on-entry if we
+ * have the microcode that makes this an effective option.
+ */
+ if ( !boot_cpu_has(X86_FEATURE_SRSO_NO) &&
+ boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) )
+ def_ibpb_entry = true;
+ }
- /*
- * IBPB-on-entry mitigations for Branch Type Confusion.
- *
- * IBPB && !BTC_NO selects all AMD/Hygon hardware, not known to be safe,
- * that we can provide some form of mitigation on.
- */
if ( opt_ibpb_entry_pv == -1 )
- opt_ibpb_entry_pv = (IS_ENABLED(CONFIG_PV) &&
- boot_cpu_has(X86_FEATURE_IBPB) &&
- !boot_cpu_has(X86_FEATURE_BTC_NO));
+ opt_ibpb_entry_pv = IS_ENABLED(CONFIG_PV) && def_ibpb_entry;
if ( opt_ibpb_entry_hvm == -1 )
- opt_ibpb_entry_hvm = (IS_ENABLED(CONFIG_HVM) &&
- boot_cpu_has(X86_FEATURE_IBPB) &&
- !boot_cpu_has(X86_FEATURE_BTC_NO));
+ opt_ibpb_entry_hvm = IS_ENABLED(CONFIG_HVM) && def_ibpb_entry;
if ( opt_ibpb_entry_pv )
{
@@ -824,7 +1004,7 @@
}
/* Calculate whether this CPU is vulnerable to L1TF. */
-static __init void l1tf_calculations(uint64_t caps)
+static __init void l1tf_calculations(void)
{
bool hit_default = false;
@@ -912,7 +1092,7 @@
}
/* Any processor advertising RDCL_NO should be not vulnerable to L1TF. */
- if ( caps & ARCH_CAPS_RDCL_NO )
+ if ( cpu_has_rdcl_no )
cpu_has_bug_l1tf = false;
if ( cpu_has_bug_l1tf && hit_default )
@@ -971,7 +1151,7 @@
}
/* Calculate whether this CPU is vulnerable to MDS. */
-static __init void mds_calculations(uint64_t caps)
+static __init void mds_calculations(void)
{
/* MDS is only known to affect Intel Family 6 processors at this time. */
if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ||
@@ -979,7 +1159,7 @@
return;
/* Any processor advertising MDS_NO should be not vulnerable to MDS. */
- if ( caps & ARCH_CAPS_MDS_NO )
+ if ( cpu_has_mds_no )
return;
switch ( boot_cpu_data.x86_model )
@@ -1071,6 +1251,158 @@
}
}
+static bool __init cpu_has_gds(void)
+{
+ /*
+ * Any part advertising GDS_NO should be not vulnerable to GDS. This
+ * includes cases where the hypervisor is mitigating behind our backs, or
+ * has synthesized GDS_NO on older parts for levelling purposes.
+ */
+ if ( cpu_has_gds_no )
+ return false;
+
+ /*
+ * On real hardware the GDS_CTRL control only exists on parts vulnerable
+ * to GDS and with up-to-date microcode. It might also be virtualised by
+ * an aware hypervisor, meaning "somewhere you might migrate to is
+ * vulnerable".
+ */
+ if ( cpu_has_gds_ctrl )
+ return true;
+
+ /*
+ * An attacker requires the use of the AVX2 GATHER instructions to leak
+ * data with GDS. However, the only way to block those instructions is to
+ * prevent XCR0[2] from being set, which is original AVX. A hypervisor
+ * might do this as a stopgap mitigation.
+ */
+ if ( !cpu_has_avx )
+ return false;
+
+ /*
+ * GDS affects the Core line from Skylake up to but not including Golden
+ * Cove (Alder Lake, Sapphire Rapids). Broadwell and older, and the Atom
+ * line, and all hybrid parts are unaffected.
+ */
+ switch ( boot_cpu_data.x86_model )
+ {
+ case 0x55: /* Skylake/Cascade Lake/Cooper Lake SP */
+ case 0x6a: /* Ice Lake SP */
+ case 0x6c: /* Ice Lake D */
+ case 0x7e: /* Ice Lake U/Y */
+ case 0x8c: /* Tiger Lake U */
+ case 0x8d: /* Tiger Lake H */
+ case 0x8e: /* Amber/Kaby/Coffee/Whiskey/Comet lake U/Y */
+ case 0x9e: /* Kaby/Coffee lake H/S/Xeon */
+ case 0xa5: /* Comet Lake H/S */
+ case 0xa6: /* Comet Lake U */
+ case 0xa7: /* Rocket Lake */
+ return true;
+
+ default:
+ /*
+ * If we've got here and are virtualised, we're most likely under a
+ * hypervisor unaware of GDS at which point we've lost. Err on the
+ * safe side.
+ */
+ return cpu_has_hypervisor;
+ }
+}
+
+static void __init gds_calculations(void)
+{
+ bool cpu_has_bug_gds, mitigated = false;
+
+ /* GDS is only known to affect Intel Family 6 processors at this time. */
+ if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL ||
+ boot_cpu_data.x86 != 6 )
+ return;
+
+ cpu_has_bug_gds = cpu_has_gds();
+
+ /*
+ * If we've got GDS_CTRL, we're either native with up-to-date microcode on
+ * a GDS-vulnerable part, or virtualised under a GDS-aware hypervisor.
+ */
+ if ( cpu_has_gds_ctrl )
+ {
+ bool locked;
+ uint64_t opt_ctrl;
+
+ if ( cpu_has_gds_no )
+ {
+ /*
+ * We don't expect to ever see GDS_CTL and GDS_NO set together.
+ * Complain loudly, and forgo playing with other features.
+ */
+ printk(XENLOG_ERR
+ "FIRMWARE BUG: CPU %02x-%02x-%02x, ucode 0x%08x: GDS_CTRL && GDS_NO\n",
+ boot_cpu_data.x86, boot_cpu_data.x86_model,
+ boot_cpu_data.x86_mask, this_cpu(cpu_sig).rev);
+ return add_taint(TAINT_CPU_OUT_OF_SPEC);
+ }
+
+ rdmsrl(MSR_MCU_OPT_CTRL, opt_ctrl);
+
+ mitigated = !(opt_ctrl & MCU_OPT_CTRL_GDS_MIT_DIS);
+ locked = opt_ctrl & MCU_OPT_CTRL_GDS_MIT_LOCK;
+
+ /*
+ * Firmware will lock the GDS mitigation if e.g. SGX is active.
+ * Alternatively, a hypervisor might virtualise GDS_CTRL as locked.
+ * Warn if the mitigiation is locked and the user requested the
+ * opposite configuration.
+ */
+ if ( locked )
+ {
+ if ( opt_gds_mit >= 0 && opt_gds_mit != mitigated )
+ printk(XENLOG_WARNING
+ "GDS_MIT locked by firwmare - ignoring spec-ctrl=gds-mit setting\n");
+ opt_gds_mit = mitigated;
+ }
+ else if ( opt_gds_mit == -1 )
+ opt_gds_mit = cpu_has_bug_gds; /* Mitigate GDS by default */
+
+ /*
+ * Latch our choice of GDS_MIT for all CPUs to pick up. If LOCK is
+ * set, we latch the same value as it currently holds.
+ */
+ set_in_mcu_opt_ctrl(MCU_OPT_CTRL_GDS_MIT_DIS,
+ opt_gds_mit ? 0 : MCU_OPT_CTRL_GDS_MIT_DIS);
+ mitigated = opt_gds_mit;
+ }
+ else if ( opt_gds_mit == -1 )
+ opt_gds_mit = cpu_has_bug_gds; /* Mitigate GDS by default */
+
+ /*
+ * If we think we're not on vulnerable hardware, or we've mitigated GDS,
+ * synthesize GDS_NO. This is mostly for the benefit of guests, to inform
+ * them not to panic.
+ */
+ if ( !cpu_has_bug_gds || mitigated )
+ return setup_force_cpu_cap(X86_FEATURE_GDS_NO);
+
+ /*
+ * If all else has failed, mitigate by disabling AVX. This prevents
+ * guests from enabling %xcr0.ymm, thereby blocking the use of VGATHER
+ * instructions.
+ *
+ * There's at least one affected CPU not expected to recieve a microcode
+ * update, and this is the only remaining mitigation.
+ *
+ * If we're virtualised, this prevents our guests attacking each other,
+ * but it doesn't stop the outer hypervisor's guests attacking us. Leave
+ * a note to this effect.
+ */
+ if ( cpu_has_avx && opt_gds_mit )
+ {
+ setup_clear_cpu_cap(X86_FEATURE_AVX);
+ printk(XENLOG_WARNING "Mitigating GDS by disabling AVX%s\n",
+ cpu_has_hypervisor ?
+ " while virtualised - protections are best-effort" : "");
+ }
+}
+
void spec_ctrl_init_domain(struct domain *d)
{
bool pv = is_pv_domain(d);
@@ -1091,11 +1423,7 @@
{
enum ind_thunk thunk = THUNK_DEFAULT;
bool has_spec_ctrl, ibrs = false, hw_smt_enabled;
- bool cpu_has_bug_taa;
- uint64_t caps = 0;
-
- if ( cpu_has_arch_caps )
- rdmsrl(MSR_ARCH_CAPABILITIES, caps);
+ bool cpu_has_bug_taa, retpoline_safe;
hw_smt_enabled = check_smt_enabled();
@@ -1113,7 +1441,10 @@
if ( read_cr4() & X86_CR4_CET )
{
if ( !has_spec_ctrl )
+ {
printk(XENLOG_WARNING "?!? CET active, but no MSR_SPEC_CTRL?\n");
+ add_taint(TAINT_CPU_OUT_OF_SPEC);
+ }
else if ( opt_ibrs == -1 )
opt_ibrs = ibrs = true;
@@ -1121,6 +1452,9 @@
thunk = THUNK_JMP;
}
+ /* Determine if retpoline is safe on this CPU. Fix up RSBA/RRSBA enumerations. */
+ retpoline_safe = retpoline_calculations();
+
/*
* Has the user specified any custom BTI mitigations? If so, follow their
* instructions exactly and disable all heuristics.
@@ -1142,7 +1476,7 @@
* On all hardware, we'd like to use retpoline in preference to
* IBRS, but only if it is safe on this hardware.
*/
- if ( retpoline_safe(caps) )
+ if ( retpoline_safe )
thunk = THUNK_RETPOLINE;
else if ( has_spec_ctrl )
ibrs = true;
@@ -1292,6 +1626,8 @@
if ( opt_rsb_hvm )
setup_force_cpu_cap(X86_FEATURE_SC_RSB_HVM);
+ srso_calculations(hw_smt_enabled);
+
ibpb_calculations();
/* Check whether Eager FPU should be enabled by default. */
@@ -1307,13 +1643,13 @@
* threads. Activate this if SMT is enabled, and Xen is using a non-zero
* MSR_SPEC_CTRL setting.
*/
- if ( boot_cpu_has(X86_FEATURE_IBRSB) && !(caps & ARCH_CAPS_IBRS_ALL) &&
+ if ( boot_cpu_has(X86_FEATURE_IBRSB) && !cpu_has_eibrs &&
hw_smt_enabled && default_xen_spec_ctrl )
setup_force_cpu_cap(X86_FEATURE_SC_MSR_IDLE);
- xpti_init_default(caps);
+ xpti_init_default();
- l1tf_calculations(caps);
+ l1tf_calculations();
/*
* By default, enable PV domU L1TF mitigations on all L1TF-vulnerable
@@ -1334,7 +1670,7 @@
if ( !boot_cpu_has(X86_FEATURE_L1D_FLUSH) )
opt_l1d_flush = 0;
else if ( opt_l1d_flush == -1 )
- opt_l1d_flush = cpu_has_bug_l1tf && !(caps & ARCH_CAPS_SKIP_L1DFL);
+ opt_l1d_flush = cpu_has_bug_l1tf && !cpu_has_skip_l1dfl;
if ( opt_branch_harden )
setup_force_cpu_cap(X86_FEATURE_SC_BRANCH_HARDEN);
@@ -1356,7 +1692,7 @@
"enabled. Please assess your configuration and choose an\n"
"explicit 'smt=<bool>' setting. See XSA-273.\n");
- mds_calculations(caps);
+ mds_calculations();
/*
* Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have
@@ -1368,7 +1704,7 @@
* the return-to-guest path.
*/
if ( opt_unpriv_mmio )
- opt_fb_clear_mmio = caps & ARCH_CAPS_FB_CLEAR;
+ opt_fb_clear_mmio = cpu_has_fb_clear;
/*
* By default, enable PV and HVM mitigations on MDS-vulnerable hardware.
@@ -1398,7 +1734,7 @@
*/
if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio )
setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE);
- opt_md_clear_hvm &= !(caps & ARCH_CAPS_SKIP_L1DFL) && !opt_l1d_flush;
+ opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush;
/*
* Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT
@@ -1429,8 +1765,7 @@
* we check both to spot TSX in a microcode/cmdline independent way.
*/
cpu_has_bug_taa =
- (cpu_has_rtm || (caps & ARCH_CAPS_TSX_CTRL)) &&
- (caps & (ARCH_CAPS_MDS_NO | ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO;
+ (cpu_has_rtm || cpu_has_tsx_ctrl) && cpu_has_mds_no && !cpu_has_taa_no;
/*
* On TAA-affected hardware, disabling TSX is the preferred mitigation, vs
@@ -1449,7 +1784,7 @@
* plausibly value TSX higher than Hyperthreading...), disable TSX to
* mitigate TAA.
*/
- if ( opt_tsx == -1 && cpu_has_bug_taa && (caps & ARCH_CAPS_TSX_CTRL) &&
+ if ( opt_tsx == -1 && cpu_has_bug_taa && cpu_has_tsx_ctrl &&
((hw_smt_enabled && opt_smt) ||
!boot_cpu_has(X86_FEATURE_SC_VERW_IDLE)) )
{
@@ -1474,15 +1809,17 @@
if ( cpu_has_srbds_ctrl )
{
if ( opt_srb_lock == -1 && !opt_unpriv_mmio &&
- (caps & (ARCH_CAPS_MDS_NO|ARCH_CAPS_TAA_NO)) == ARCH_CAPS_MDS_NO &&
- (!cpu_has_hle || ((caps & ARCH_CAPS_TSX_CTRL) && rtm_disabled)) )
+ cpu_has_mds_no && !cpu_has_taa_no &&
+ (!cpu_has_hle || (cpu_has_tsx_ctrl && rtm_disabled)) )
opt_srb_lock = 0;
set_in_mcu_opt_ctrl(MCU_OPT_CTRL_RNGDS_MITG_DIS,
opt_srb_lock ? 0 : MCU_OPT_CTRL_RNGDS_MITG_DIS);
}
- print_details(thunk, caps);
+ gds_calculations();
+
+ print_details(thunk);
/*
* If MSR_SPEC_CTRL is available, apply Xen's default setting and discard
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/sysctl.c xen-4.14.6/xen/arch/x86/sysctl.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/sysctl.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/sysctl.c 2023-08-07 14:11:14.000000000 +0200
@@ -31,38 +31,7 @@
#include <xen/cpu.h>
#include <xsm/xsm.h>
#include <asm/psr.h>
-#include <asm/cpuid.h>
-
-const struct cpu_policy system_policies[6] = {
- [ XEN_SYSCTL_cpu_policy_raw ] = {
- &raw_cpuid_policy,
- &raw_msr_policy,
- },
- [ XEN_SYSCTL_cpu_policy_host ] = {
- &host_cpuid_policy,
- &host_msr_policy,
- },
-#ifdef CONFIG_PV
- [ XEN_SYSCTL_cpu_policy_pv_max ] = {
- &pv_max_cpuid_policy,
- &pv_max_msr_policy,
- },
- [ XEN_SYSCTL_cpu_policy_pv_default ] = {
- &pv_def_cpuid_policy,
- &pv_def_msr_policy,
- },
-#endif
-#ifdef CONFIG_HVM
- [ XEN_SYSCTL_cpu_policy_hvm_max ] = {
- &hvm_max_cpuid_policy,
- &hvm_max_msr_policy,
- },
- [ XEN_SYSCTL_cpu_policy_hvm_default ] = {
- &hvm_def_cpuid_policy,
- &hvm_def_msr_policy,
- },
-#endif
-};
+#include <asm/cpu-policy.h>
struct l3_cache_info {
int ret;
@@ -357,17 +326,19 @@
case XEN_SYSCTL_get_cpu_featureset:
{
- static const struct cpuid_policy *const policy_table[4] = {
- [XEN_SYSCTL_cpu_featureset_raw] = &raw_cpuid_policy,
- [XEN_SYSCTL_cpu_featureset_host] = &host_cpuid_policy,
+ static const struct cpu_policy *const policy_table[6] = {
+ [XEN_SYSCTL_cpu_featureset_raw] = &raw_cpu_policy,
+ [XEN_SYSCTL_cpu_featureset_host] = &host_cpu_policy,
#ifdef CONFIG_PV
- [XEN_SYSCTL_cpu_featureset_pv] = &pv_def_cpuid_policy,
+ [XEN_SYSCTL_cpu_featureset_pv] = &pv_def_cpu_policy,
+ [XEN_SYSCTL_cpu_featureset_pv_max] = &pv_max_cpu_policy,
#endif
#ifdef CONFIG_HVM
- [XEN_SYSCTL_cpu_featureset_hvm] = &hvm_def_cpuid_policy,
+ [XEN_SYSCTL_cpu_featureset_hvm] = &hvm_def_cpu_policy,
+ [XEN_SYSCTL_cpu_featureset_hvm_max] = &hvm_max_cpu_policy,
#endif
};
- const struct cpuid_policy *p = NULL;
+ const struct cpu_policy *p = NULL;
uint32_t featureset[FSCAPINTS];
unsigned int nr;
@@ -398,7 +369,7 @@
ret = -EINVAL;
if ( !ret )
- cpuid_policy_to_featureset(p, featureset);
+ x86_cpu_policy_to_featureset(p, featureset);
/* Copy the requested featureset into place. */
if ( !ret && copy_to_guest(sysctl->u.cpu_featureset.features,
@@ -420,6 +391,18 @@
case XEN_SYSCTL_get_cpu_policy:
{
+ static const struct cpu_policy *const system_policies[6] = {
+ [XEN_SYSCTL_cpu_policy_raw] = &raw_cpu_policy,
+ [XEN_SYSCTL_cpu_policy_host] = &host_cpu_policy,
+#ifdef CONFIG_PV
+ [XEN_SYSCTL_cpu_policy_pv_max] = &pv_max_cpu_policy,
+ [XEN_SYSCTL_cpu_policy_pv_default] = &pv_def_cpu_policy,
+#endif
+#ifdef CONFIG_HVM
+ [XEN_SYSCTL_cpu_policy_hvm_max] = &hvm_max_cpu_policy,
+ [XEN_SYSCTL_cpu_policy_hvm_default] = &hvm_def_cpu_policy,
+#endif
+ };
const struct cpu_policy *policy;
/* Reserved field set, or bad policy index? */
@@ -429,22 +412,22 @@
ret = -EINVAL;
break;
}
- policy = &system_policies[
+ policy = system_policies[
array_index_nospec(sysctl->u.cpu_policy.index,
ARRAY_SIZE(system_policies))];
- if ( !policy->cpuid || !policy->msr )
+ if ( !policy )
{
ret = -EOPNOTSUPP;
break;
}
/* Process the CPUID leaves. */
- if ( guest_handle_is_null(sysctl->u.cpu_policy.cpuid_policy) )
+ if ( guest_handle_is_null(sysctl->u.cpu_policy.leaves) )
sysctl->u.cpu_policy.nr_leaves = CPUID_MAX_SERIALISED_LEAVES;
else if ( (ret = x86_cpuid_copy_to_buffer(
- policy->cpuid,
- sysctl->u.cpu_policy.cpuid_policy,
+ policy,
+ sysctl->u.cpu_policy.leaves,
&sysctl->u.cpu_policy.nr_leaves)) )
break;
@@ -456,11 +439,11 @@
}
/* Process the MSR entries. */
- if ( guest_handle_is_null(sysctl->u.cpu_policy.msr_policy) )
+ if ( guest_handle_is_null(sysctl->u.cpu_policy.msrs) )
sysctl->u.cpu_policy.nr_msrs = MSR_MAX_SERIALISED_ENTRIES;
else if ( (ret = x86_msr_copy_to_buffer(
- policy->msr,
- sysctl->u.cpu_policy.msr_policy,
+ policy,
+ sysctl->u.cpu_policy.msrs,
&sysctl->u.cpu_policy.nr_msrs)) )
break;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/time.c xen-4.14.6/xen/arch/x86/time.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/time.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/time.c 2023-08-07 14:11:14.000000000 +0200
@@ -26,6 +26,7 @@
#include <xen/symbols.h>
#include <xen/keyhandler.h>
#include <xen/guest_access.h>
+#include <asm/cpu-policy.h>
#include <asm/io.h>
#include <asm/iocap.h>
#include <asm/msr.h>
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/traps.c xen-4.14.6/xen/arch/x86/traps.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/traps.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/traps.c 2023-08-07 14:11:14.000000000 +0200
@@ -962,7 +962,7 @@
uint32_t subleaf, struct cpuid_leaf *res)
{
const struct domain *d = v->domain;
- const struct cpuid_policy *p = d->arch.cpuid;
+ const struct cpu_policy *p = d->arch.cpu_policy;
uint32_t base = is_viridian_domain(d) ? 0x40000100 : 0x40000000;
uint32_t idx = leaf - base;
unsigned int limit = is_viridian_domain(d) ? p->hv2_limit : p->hv_limit;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/tsx.c xen-4.14.6/xen/arch/x86/tsx.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/tsx.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/tsx.c 2023-08-07 14:11:14.000000000 +0200
@@ -19,7 +19,6 @@
* controlling TSX behaviour, and where TSX isn't force-disabled by firmware.
*/
int8_t __read_mostly opt_tsx = -1;
-int8_t __read_mostly cpu_has_tsx_ctrl = -1;
bool __read_mostly rtm_disabled;
static int __init parse_tsx(const char *s)
@@ -37,24 +36,28 @@
void tsx_init(void)
{
+ static bool __read_mostly once;
+
/*
* This function is first called between microcode being loaded, and CPUID
* being scanned generally. Read into boot_cpu_data.x86_capability[] for
* the cpu_has_* bits we care about using here.
*/
- if ( unlikely(cpu_has_tsx_ctrl < 0) )
+ if ( unlikely(!once) )
{
- uint64_t caps = 0;
bool has_rtm_always_abort;
+ once = true;
+
if ( boot_cpu_data.cpuid_level >= 7 )
boot_cpu_data.x86_capability[cpufeat_word(X86_FEATURE_ARCH_CAPS)]
= cpuid_count_edx(7, 0);
if ( cpu_has_arch_caps )
- rdmsrl(MSR_ARCH_CAPABILITIES, caps);
+ rdmsr(MSR_ARCH_CAPABILITIES,
+ boot_cpu_data.x86_capability[FEATURESET_m10Al],
+ boot_cpu_data.x86_capability[FEATURESET_m10Ah]);
- cpu_has_tsx_ctrl = !!(caps & ARCH_CAPS_TSX_CTRL);
has_rtm_always_abort = cpu_has_rtm_always_abort;
if ( cpu_has_tsx_ctrl && cpu_has_srbds_ctrl )
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/x86_emulate/x86_emulate.c xen-4.14.6/xen/arch/x86/x86_emulate/x86_emulate.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/x86_emulate/x86_emulate.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/x86_emulate/x86_emulate.c 2023-08-07 14:11:14.000000000 +0200
@@ -1922,7 +1922,7 @@
}
static bool
-_amd_like(const struct cpuid_policy *cp)
+_amd_like(const struct cpu_policy *cp)
{
return cp->x86_vendor & (X86_VENDOR_AMD | X86_VENDOR_HYGON);
}
@@ -1930,7 +1930,7 @@
static bool
amd_like(const struct x86_emulate_ctxt *ctxt)
{
- return _amd_like(ctxt->cpuid);
+ return _amd_like(ctxt->cpu_policy);
}
#define vcpu_has_fpu() (ctxt->cpuid->basic.fpu)
@@ -2074,7 +2074,7 @@
struct x86_emulate_ctxt *ctxt,
const struct x86_emulate_ops *ops)
{
- const struct cpuid_policy *cp = ctxt->cpuid;
+ const struct cpu_policy *cp = ctxt->cpu_policy;
enum x86_segment sel_seg = (sel & 4) ? x86_seg_ldtr : x86_seg_gdtr;
struct { uint32_t a, b; } desc, desc_hi = {};
uint8_t dpl, rpl;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/x86_emulate/x86_emulate.h xen-4.14.6/xen/arch/x86/x86_emulate/x86_emulate.h
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/x86_emulate/x86_emulate.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/x86_emulate/x86_emulate.h 2023-08-07 14:11:14.000000000 +0200
@@ -23,7 +23,7 @@
#ifndef __X86_EMULATE_H__
#define __X86_EMULATE_H__
-#include <xen/lib/x86/cpuid.h>
+#include <xen/lib/x86/cpu-policy.h>
#define MAX_INST_LEN 15
@@ -566,8 +566,11 @@
* Input-only state:
*/
- /* CPUID Policy for the domain. */
- const struct cpuid_policy *cpuid;
+ /* CPU policy for the domain. Allow aliases for local code clarity. */
+ union {
+ struct cpu_policy *cpu_policy;
+ struct cpu_policy *cpuid;
+ };
/* Set this if writes may have side effects. */
bool force_writeback;
diff -Nru xen-4.14.5+94-ge49571868d/xen/arch/x86/xstate.c xen-4.14.6/xen/arch/x86/xstate.c
--- xen-4.14.5+94-ge49571868d/xen/arch/x86/xstate.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/arch/x86/xstate.c 2023-08-07 14:11:14.000000000 +0200
@@ -677,7 +677,7 @@
int validate_xstate(const struct domain *d, uint64_t xcr0, uint64_t xcr0_accum,
const struct xsave_hdr *hdr)
{
- uint64_t xcr0_max = cpuid_policy_xcr0_max(d->arch.cpuid);
+ uint64_t xcr0_max = cpu_policy_xcr0_max(d->arch.cpuid);
unsigned int i;
if ( (hdr->xstate_bv & ~xcr0_accum) ||
@@ -701,7 +701,7 @@
int handle_xsetbv(u32 index, u64 new_bv)
{
struct vcpu *curr = current;
- uint64_t xcr0_max = cpuid_policy_xcr0_max(curr->domain->arch.cpuid);
+ uint64_t xcr0_max = cpu_policy_xcr0_max(curr->domain->arch.cpuid);
u64 mask;
if ( index != XCR_XFEATURE_ENABLED_MASK )
diff -Nru xen-4.14.5+94-ge49571868d/xen/common/kernel.c xen-4.14.6/xen/common/kernel.c
--- xen-4.14.5+94-ge49571868d/xen/common/kernel.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/common/kernel.c 2023-08-07 14:11:14.000000000 +0200
@@ -338,6 +338,7 @@
* 'E' - An error (e.g. a machine check exceptions) has been injected.
* 'H' - HVM forced emulation prefix is permitted.
* 'M' - Machine had a machine check experience.
+ * 'S' - Out of spec CPU (Incompatible features on one or more cores).
*
* The string is overwritten by the next call to print_taint().
*/
@@ -345,11 +346,12 @@
{
if ( tainted )
{
- snprintf(str, TAINT_STRING_MAX_LEN, "Tainted: %c%c%c%c",
+ snprintf(str, TAINT_STRING_MAX_LEN, "Tainted: %c%c%c%c%c",
tainted & TAINT_MACHINE_CHECK ? 'M' : ' ',
tainted & TAINT_SYNC_CONSOLE ? 'C' : ' ',
tainted & TAINT_ERROR_INJECT ? 'E' : ' ',
- tainted & TAINT_HVM_FEP ? 'H' : ' ');
+ tainted & TAINT_HVM_FEP ? 'H' : ' ',
+ tainted & TAINT_CPU_OUT_OF_SPEC ? 'S' : ' ');
}
else
{
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpufeature.h xen-4.14.6/xen/include/asm-x86/cpufeature.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpufeature.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/cpufeature.h 2023-08-07 14:11:14.000000000 +0200
@@ -142,6 +142,20 @@
/* CPUID level 0x00000007:1.eax */
#define cpu_has_avx512_bf16 boot_cpu_has(X86_FEATURE_AVX512_BF16)
+/* MSR_ARCH_CAPS */
+#define cpu_has_rdcl_no boot_cpu_has(X86_FEATURE_RDCL_NO)
+#define cpu_has_eibrs boot_cpu_has(X86_FEATURE_EIBRS)
+#define cpu_has_rsba boot_cpu_has(X86_FEATURE_RSBA)
+#define cpu_has_skip_l1dfl boot_cpu_has(X86_FEATURE_SKIP_L1DFL)
+#define cpu_has_mds_no boot_cpu_has(X86_FEATURE_MDS_NO)
+#define cpu_has_if_pschange_mc_no boot_cpu_has(X86_FEATURE_IF_PSCHANGE_MC_NO)
+#define cpu_has_tsx_ctrl boot_cpu_has(X86_FEATURE_TSX_CTRL)
+#define cpu_has_taa_no boot_cpu_has(X86_FEATURE_TAA_NO)
+#define cpu_has_fb_clear boot_cpu_has(X86_FEATURE_FB_CLEAR)
+#define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA)
+#define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL)
+#define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO)
+
/* Synthesized. */
#define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON)
#define cpu_has_cpuid_faulting boot_cpu_has(X86_FEATURE_CPUID_FAULTING)
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpuid.h xen-4.14.6/xen/include/asm-x86/cpuid.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpuid.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/cpuid.h 2023-08-07 14:11:14.000000000 +0200
@@ -8,15 +8,9 @@
#include <xen/kernel.h>
#include <xen/percpu.h>
-#include <xen/lib/x86/cpu-policy.h>
-#include <xen/lib/x86/cpuid.h>
-
#include <public/sysctl.h>
extern const uint32_t known_features[FSCAPINTS];
-extern const uint32_t special_features[FSCAPINTS];
-
-void init_guest_cpuid(void);
/*
* Expected levelling capabilities (given cpuid vendor/family information),
@@ -48,22 +42,11 @@
/* Default masking MSR values, calculated at boot. */
extern struct cpuidmasks cpuidmask_defaults;
-extern struct cpuid_policy raw_cpuid_policy, host_cpuid_policy,
- pv_max_cpuid_policy, pv_def_cpuid_policy,
- hvm_max_cpuid_policy, hvm_def_cpuid_policy;
-
-extern const struct cpu_policy system_policies[];
-
/* Check that all previously present features are still available. */
bool recheck_cpu_features(unsigned int cpu);
-/* Allocate and initialise a CPUID policy suitable for the domain. */
-int init_domain_cpuid_policy(struct domain *d);
-
-/* Clamp the CPUID policy to reality. */
-void recalculate_cpuid_policy(struct domain *d);
-
struct vcpu;
+struct cpuid_leaf;
void guest_cpuid(const struct vcpu *v, uint32_t leaf,
uint32_t subleaf, struct cpuid_leaf *res);
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpu-policy.h xen-4.14.6/xen/include/asm-x86/cpu-policy.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/cpu-policy.h 1970-01-01 01:00:00.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/cpu-policy.h 2023-08-07 14:11:14.000000000 +0200
@@ -0,0 +1,27 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#ifndef X86_CPU_POLICY_H
+#define X86_CPU_POLICY_H
+
+struct cpu_policy;
+struct domain;
+
+extern struct cpu_policy raw_cpu_policy;
+extern struct cpu_policy host_cpu_policy;
+extern struct cpu_policy pv_max_cpu_policy;
+extern struct cpu_policy pv_def_cpu_policy;
+extern struct cpu_policy hvm_max_cpu_policy;
+extern struct cpu_policy hvm_def_cpu_policy;
+
+/* Initialise the guest cpu_policy objects. */
+void init_guest_cpu_policies(void);
+
+/* Allocate and initialise a CPU policy suitable for the domain. */
+int init_domain_cpu_policy(struct domain *d);
+
+/* Apply dom0-specific tweaks to the CPUID policy. */
+void init_dom0_cpuid_policy(struct domain *d);
+
+/* Clamp the CPUID policy to reality. */
+void recalculate_cpuid_policy(struct domain *d);
+
+#endif /* X86_CPU_POLICY_H */
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/domain.h xen-4.14.6/xen/include/asm-x86/domain.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/domain.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/domain.h 2023-08-07 14:11:14.000000000 +0200
@@ -368,9 +368,16 @@
*/
uint8_t x87_fip_width;
- /* CPUID and MSR policy objects. */
- struct cpuid_policy *cpuid;
- struct msr_policy *msr;
+ /*
+ * The domain's CPU Policy. "cpu_policy" is considered the canonical
+ * pointer, but the "cpuid" and "msr" aliases exist so the most
+ * appropriate one can be used for local code clarity.
+ */
+ union {
+ struct cpu_policy *cpu_policy;
+ struct cpu_policy *cpuid;
+ struct cpu_policy *msr;
+ };
struct PITState vpit;
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/msr.h xen-4.14.6/xen/include/asm-x86/msr.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/msr.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/msr.h 2023-08-07 14:11:14.000000000 +0200
@@ -6,8 +6,9 @@
#include <xen/types.h>
#include <xen/percpu.h>
#include <xen/errno.h>
+#include <xen/kernel.h>
-#include <xen/lib/x86/msr.h>
+#include <xen/lib/x86/cpu-policy.h>
#include <asm/asm_defns.h>
#include <asm/cpufeature.h>
@@ -267,14 +268,7 @@
}
}
-uint64_t msr_spec_ctrl_valid_bits(const struct cpuid_policy *cp);
-
-extern struct msr_policy raw_msr_policy,
- host_msr_policy,
- pv_max_msr_policy,
- pv_def_msr_policy,
- hvm_max_msr_policy,
- hvm_def_msr_policy;
+uint64_t msr_spec_ctrl_valid_bits(const struct cpu_policy *cp);
/* Container object for per-vCPU MSRs */
struct vcpu_msrs
@@ -339,8 +333,6 @@
uint32_t dr_mask[4];
};
-void init_guest_msr_policy(void);
-int init_domain_msr_policy(struct domain *d);
int init_vcpu_msr_policy(struct vcpu *v);
/*
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/msr-index.h xen-4.14.6/xen/include/asm-x86/msr-index.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/msr-index.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/msr-index.h 2023-08-07 14:11:14.000000000 +0200
@@ -37,6 +37,7 @@
#define MSR_PRED_CMD 0x00000049
#define PRED_CMD_IBPB (_AC(1, ULL) << 0)
+#define PRED_CMD_SBPB (_AC(1, ULL) << 7)
#define MSR_PPIN_CTL 0x0000004e
#define PPIN_LOCKOUT (_AC(1, ULL) << 0)
@@ -48,7 +49,7 @@
#define MSR_ARCH_CAPABILITIES 0x0000010a
#define ARCH_CAPS_RDCL_NO (_AC(1, ULL) << 0)
-#define ARCH_CAPS_IBRS_ALL (_AC(1, ULL) << 1)
+#define ARCH_CAPS_EIBRS (_AC(1, ULL) << 1)
#define ARCH_CAPS_RSBA (_AC(1, ULL) << 2)
#define ARCH_CAPS_SKIP_L1DFL (_AC(1, ULL) << 3)
#define ARCH_CAPS_SSB_NO (_AC(1, ULL) << 4)
@@ -61,6 +62,11 @@
#define ARCH_CAPS_PSDP_NO (_AC(1, ULL) << 15)
#define ARCH_CAPS_FB_CLEAR (_AC(1, ULL) << 17)
#define ARCH_CAPS_FB_CLEAR_CTRL (_AC(1, ULL) << 18)
+#define ARCH_CAPS_RRSBA (_AC(1, ULL) << 19)
+#define ARCH_CAPS_BHI_NO (_AC(1, ULL) << 20)
+#define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24)
+#define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25)
+#define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26)
#define MSR_FLUSH_CMD 0x0000010b
#define FLUSH_CMD_L1D (_AC(1, ULL) << 0)
@@ -79,6 +85,8 @@
#define MCU_OPT_CTRL_RTM_ALLOW (_AC(1, ULL) << 1)
#define MCU_OPT_CTRL_RTM_LOCKED (_AC(1, ULL) << 2)
#define MCU_OPT_CTRL_FB_CLEAR_DIS (_AC(1, ULL) << 3)
+#define MCU_OPT_CTRL_GDS_MIT_DIS (_AC(1, ULL) << 4)
+#define MCU_OPT_CTRL_GDS_MIT_LOCK (_AC(1, ULL) << 5)
#define MSR_RTIT_OUTPUT_BASE 0x00000560
#define MSR_RTIT_OUTPUT_MASK 0x00000561
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/asm-x86/processor.h xen-4.14.6/xen/include/asm-x86/processor.h
--- xen-4.14.5+94-ge49571868d/xen/include/asm-x86/processor.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/asm-x86/processor.h 2023-08-07 14:11:14.000000000 +0200
@@ -628,13 +628,15 @@
return fam;
}
-extern int8_t opt_tsx, cpu_has_tsx_ctrl;
+extern int8_t opt_tsx;
extern bool rtm_disabled;
void tsx_init(void);
void update_mcu_opt_ctrl(void);
void set_in_mcu_opt_ctrl(uint32_t mask, uint32_t val);
+void amd_check_zenbleed(void);
+
#endif /* !__ASSEMBLY__ */
#endif /* __ASM_X86_PROCESSOR_H */
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/public/arch-x86/cpufeatureset.h xen-4.14.6/xen/include/public/arch-x86/cpufeatureset.h
--- xen-4.14.5+94-ge49571868d/xen/include/public/arch-x86/cpufeatureset.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/public/arch-x86/cpufeatureset.h 2023-08-07 14:11:14.000000000 +0200
@@ -216,7 +216,7 @@
XEN_CPUFEATURE(SMAP, 5*32+20) /*S Supervisor Mode Access Prevention */
XEN_CPUFEATURE(AVX512_IFMA, 5*32+21) /*A AVX-512 Integer Fused Multiply Add */
XEN_CPUFEATURE(CLFLUSHOPT, 5*32+23) /*A CLFLUSHOPT instruction */
-XEN_CPUFEATURE(CLWB, 5*32+24) /*A CLWB instruction */
+XEN_CPUFEATURE(CLWB, 5*32+24) /*!A CLWB instruction */
XEN_CPUFEATURE(AVX512PF, 5*32+26) /*A AVX-512 Prefetch Instructions */
XEN_CPUFEATURE(AVX512ER, 5*32+27) /*A AVX-512 Exponent & Reciprocal Instrs */
XEN_CPUFEATURE(AVX512CD, 5*32+28) /*A AVX-512 Conflict Detection Instrs */
@@ -280,7 +280,7 @@
XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */
XEN_CPUFEATURE(STIBP, 9*32+27) /*A STIBP */
XEN_CPUFEATURE(L1D_FLUSH, 9*32+28) /*S MSR_FLUSH_CMD and L1D flush. */
-XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /*a IA32_ARCH_CAPABILITIES MSR */
+XEN_CPUFEATURE(ARCH_CAPS, 9*32+29) /*!A IA32_ARCH_CAPABILITIES MSR */
XEN_CPUFEATURE(CORE_CAPS, 9*32+30) /* IA32_CORE_CAPABILITIES MSR */
XEN_CPUFEATURE(SSBD, 9*32+31) /*A MSR_SPEC_CTRL.SSBD available */
@@ -289,12 +289,48 @@
/* AMD-defined CPU features, CPUID level 0x80000021.eax, word 11 */
XEN_CPUFEATURE(LFENCE_DISPATCH, 11*32+ 2) /*A LFENCE always serializing */
+XEN_CPUFEATURE(SBPB, 11*32+27) /*A Selective Branch Predictor Barrier */
+XEN_CPUFEATURE(IBPB_BRTYPE, 11*32+28) /*A IBPB flushes Branch Type predictions too */
+XEN_CPUFEATURE(SRSO_NO, 11*32+29) /*A Hardware not vulenrable to Speculative Return Stack Overflow */
/* Intel-defined CPU features, CPUID level 0x00000007:1.ebx, word 12 */
/* Intel-defined CPU features, CPUID level 0x00000007:2.edx, word 13 */
XEN_CPUFEATURE(INTEL_PSFD, 13*32+ 0) /*A MSR_SPEC_CTRL.PSFD */
+/* Intel-defined CPU features, CPUID level 0x00000007:1.ecx, word 14 */
+
+/* Intel-defined CPU features, CPUID level 0x00000007:1.edx, word 15 */
+
+/* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.eax, word 16 */
+XEN_CPUFEATURE(RDCL_NO, 16*32+ 0) /*A No Rogue Data Cache Load (Meltdown) */
+XEN_CPUFEATURE(EIBRS, 16*32+ 1) /*A Enhanced IBRS */
+XEN_CPUFEATURE(RSBA, 16*32+ 2) /*! RSB Alternative (Retpoline not safe) */
+XEN_CPUFEATURE(SKIP_L1DFL, 16*32+ 3) /* Don't need to flush L1D on VMEntry */
+XEN_CPUFEATURE(INTEL_SSB_NO, 16*32+ 4) /*A No Speculative Store Bypass */
+XEN_CPUFEATURE(MDS_NO, 16*32+ 5) /*A No Microarchitectural Data Sampling */
+XEN_CPUFEATURE(IF_PSCHANGE_MC_NO, 16*32+ 6) /*A No Instruction fetch #MC */
+XEN_CPUFEATURE(TSX_CTRL, 16*32+ 7) /* MSR_TSX_CTRL */
+XEN_CPUFEATURE(TAA_NO, 16*32+ 8) /*A No TSX Async Abort */
+XEN_CPUFEATURE(MCU_CTRL, 16*32+ 9) /* MSR_MCU_CTRL */
+XEN_CPUFEATURE(MISC_PKG_CTRL, 16*32+10) /* MSR_MISC_PKG_CTRL */
+XEN_CPUFEATURE(ENERGY_FILTERING, 16*32+11) /* MSR_MISC_PKG_CTRL.ENERGY_FILTERING */
+XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing Mode */
+XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */
+XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */
+XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */
+XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */
+XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */
+XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */
+XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */
+XEN_CPUFEATURE(XAPIC_STATUS, 16*32+21) /* MSR_XAPIC_DISABLE_STATUS */
+XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */
+XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */
+XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */
+XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */
+
+/* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */
+
#endif /* XEN_CPUFEATURE */
/* Clean up from a default include. Close the enum (for C). */
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/public/domctl.h xen-4.14.6/xen/include/public/domctl.h
--- xen-4.14.5+94-ge49571868d/xen/include/public/domctl.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/public/domctl.h 2023-08-07 14:11:14.000000000 +0200
@@ -673,12 +673,10 @@
* Query or set the CPUID and MSR policies for a specific domain.
*/
struct xen_domctl_cpu_policy {
- uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to
- * 'cpuid_policy'. */
- uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to
- * 'msr_policy' */
- XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* IN/OUT */
- XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_policy; /* IN/OUT */
+ uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to 'leaves' */
+ uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to 'msrs' */
+ XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) leaves; /* IN/OUT */
+ XEN_GUEST_HANDLE_64(xen_msr_entry_t) msrs; /* IN/OUT */
/*
* OUT, set_policy only. Written in some (but not all) error cases to
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/public/sysctl.h xen-4.14.6/xen/include/public/sysctl.h
--- xen-4.14.5+94-ge49571868d/xen/include/public/sysctl.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/public/sysctl.h 2023-08-07 14:11:14.000000000 +0200
@@ -804,6 +804,8 @@
#define XEN_SYSCTL_cpu_featureset_host 1
#define XEN_SYSCTL_cpu_featureset_pv 2
#define XEN_SYSCTL_cpu_featureset_hvm 3
+#define XEN_SYSCTL_cpu_featureset_pv_max 4
+#define XEN_SYSCTL_cpu_featureset_hvm_max 5
uint32_t index; /* IN: Which featureset to query? */
uint32_t nr_features; /* IN/OUT: Number of entries in/written to
* 'features', or the maximum number of features if
@@ -1049,15 +1051,13 @@
#define XEN_SYSCTL_cpu_policy_pv_default 4
#define XEN_SYSCTL_cpu_policy_hvm_default 5
uint32_t index; /* IN: Which policy to query? */
- uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to
- * 'cpuid_policy', or the maximum number of leaves
- * if the guest handle is NULL. */
- uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to
- * 'msr_policy', or the maximum number of MSRs if
- * the guest handle is NULL. */
+ uint32_t nr_leaves; /* IN/OUT: Number of leaves in/written to 'leaves',
+ * or the max number if 'leaves' is NULL. */
+ uint32_t nr_msrs; /* IN/OUT: Number of MSRs in/written to 'msrs', or
+ * the max number of if 'msrs' is NULL. */
uint32_t _rsvd; /* Must be zero. */
- XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_policy; /* OUT */
- XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_policy; /* OUT */
+ XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) leaves; /* OUT */
+ XEN_GUEST_HANDLE_64(xen_msr_entry_t) msrs; /* OUT */
};
typedef struct xen_sysctl_cpu_policy xen_sysctl_cpu_policy_t;
DEFINE_XEN_GUEST_HANDLE(xen_sysctl_cpu_policy_t);
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/cpuid.h xen-4.14.6/xen/include/xen/lib/x86/cpuid.h
--- xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/cpuid.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/xen/lib/x86/cpuid.h 1970-01-01 01:00:00.000000000 +0100
@@ -1,462 +0,0 @@
-/* Common data structures and functions consumed by hypervisor and toolstack */
-#ifndef XEN_LIB_X86_CPUID_H
-#define XEN_LIB_X86_CPUID_H
-
-#include <xen/lib/x86/cpuid-autogen.h>
-
-#define FEATURESET_1d 0 /* 0x00000001.edx */
-#define FEATURESET_1c 1 /* 0x00000001.ecx */
-#define FEATURESET_e1d 2 /* 0x80000001.edx */
-#define FEATURESET_e1c 3 /* 0x80000001.ecx */
-#define FEATURESET_Da1 4 /* 0x0000000d:1.eax */
-#define FEATURESET_7b0 5 /* 0x00000007:0.ebx */
-#define FEATURESET_7c0 6 /* 0x00000007:0.ecx */
-#define FEATURESET_e7d 7 /* 0x80000007.edx */
-#define FEATURESET_e8b 8 /* 0x80000008.ebx */
-#define FEATURESET_7d0 9 /* 0x00000007:0.edx */
-#define FEATURESET_7a1 10 /* 0x00000007:1.eax */
-#define FEATURESET_e21a 11 /* 0x80000021.eax */
-#define FEATURESET_7b1 12 /* 0x00000007:1.ebx */
-#define FEATURESET_7d2 13 /* 0x80000007:2.edx */
-
-struct cpuid_leaf
-{
- uint32_t a, b, c, d;
-};
-
-/*
- * Versions of GCC before 5 unconditionally reserve %rBX as the PIC hard
- * register, and are unable to cope with spilling it. This results in a
- * rather cryptic error:
- * error: inconsistent operand constraints in an ‘asm’
- *
- * In affected situations, work around the issue by using a separate register
- * to hold the the %rBX output, and xchg twice to leave %rBX preserved around
- * the asm() statement.
- */
-#if defined(__PIC__) && __GNUC__ < 5 && !defined(__clang__) && defined(__i386__)
-# define XCHG_BX "xchg %%ebx, %[bx];"
-# define BX_CON [bx] "=&r"
-#elif defined(__PIC__) && __GNUC__ < 5 && !defined(__clang__) && \
- defined(__x86_64__) && (defined(__code_model_medium__) || \
- defined(__code_model_large__))
-# define XCHG_BX "xchg %%rbx, %q[bx];"
-# define BX_CON [bx] "=&r"
-#else
-# define XCHG_BX ""
-# define BX_CON "=&b"
-#endif
-
-static inline void cpuid_leaf(uint32_t leaf, struct cpuid_leaf *l)
-{
- asm ( XCHG_BX
- "cpuid;"
- XCHG_BX
- : "=a" (l->a), BX_CON (l->b), "=&c" (l->c), "=&d" (l->d)
- : "a" (leaf) );
-}
-
-static inline void cpuid_count_leaf(
- uint32_t leaf, uint32_t subleaf, struct cpuid_leaf *l)
-{
- asm ( XCHG_BX
- "cpuid;"
- XCHG_BX
- : "=a" (l->a), BX_CON (l->b), "=c" (l->c), "=&d" (l->d)
- : "a" (leaf), "c" (subleaf) );
-}
-
-#undef BX_CON
-#undef XCHG
-
-/**
- * Given the vendor id from CPUID leaf 0, look up Xen's internal integer
- * vendor ID. Returns X86_VENDOR_UNKNOWN for any unknown vendor.
- */
-unsigned int x86_cpuid_lookup_vendor(uint32_t ebx, uint32_t ecx, uint32_t edx);
-
-/**
- * Given Xen's internal vendor ID, return a string suitable for printing.
- * Returns "Unknown" for any unrecognised ID.
- */
-const char *x86_cpuid_vendor_to_str(unsigned int vendor);
-
-#define CPUID_GUEST_NR_BASIC (0xdu + 1)
-#define CPUID_GUEST_NR_CACHE (5u + 1)
-#define CPUID_GUEST_NR_FEAT (2u + 1)
-#define CPUID_GUEST_NR_TOPO (1u + 1)
-#define CPUID_GUEST_NR_XSTATE (62u + 1)
-#define CPUID_GUEST_NR_EXTD_INTEL (0x8u + 1)
-#define CPUID_GUEST_NR_EXTD_AMD (0x21u + 1)
-#define CPUID_GUEST_NR_EXTD MAX(CPUID_GUEST_NR_EXTD_INTEL, \
- CPUID_GUEST_NR_EXTD_AMD)
-
-/*
- * Maximum number of leaves a struct cpuid_policy turns into when serialised
- * for interaction with the toolstack. (Sum of all leaves in each union, less
- * the entries in basic which sub-unions hang off of.)
- */
-#define CPUID_MAX_SERIALISED_LEAVES \
- (CPUID_GUEST_NR_BASIC + \
- CPUID_GUEST_NR_FEAT - !!CPUID_GUEST_NR_FEAT + \
- CPUID_GUEST_NR_CACHE - !!CPUID_GUEST_NR_CACHE + \
- CPUID_GUEST_NR_TOPO - !!CPUID_GUEST_NR_TOPO + \
- CPUID_GUEST_NR_XSTATE - !!CPUID_GUEST_NR_XSTATE + \
- CPUID_GUEST_NR_EXTD + 2 /* hv_limit and hv2_limit */ )
-
-struct cpuid_policy
-{
-#define DECL_BITFIELD(word) _DECL_BITFIELD(FEATURESET_ ## word)
-#define _DECL_BITFIELD(x) __DECL_BITFIELD(x)
-#define __DECL_BITFIELD(x) CPUID_BITFIELD_ ## x
-
- /* Basic leaves: 0x000000xx */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_BASIC];
- struct {
- /* Leaf 0x0 - Max and vendor. */
- uint32_t max_leaf, vendor_ebx, vendor_ecx, vendor_edx;
-
- /* Leaf 0x1 - Family/model/stepping and features. */
- uint32_t raw_fms;
- uint8_t :8, /* Brand ID. */
- clflush_size, /* Number of 8-byte blocks per cache line. */
- lppp, /* Logical processors per package. */
- apic_id; /* Initial APIC ID. */
- union {
- uint32_t _1c;
- struct { DECL_BITFIELD(1c); };
- };
- union {
- uint32_t _1d;
- struct { DECL_BITFIELD(1d); };
- };
-
- /* Leaf 0x2 - TLB/Cache/Prefetch. */
- uint8_t l2_nr_queries; /* Documented as fixed to 1. */
- uint8_t l2_desc[15];
-
- uint64_t :64, :64; /* Leaf 0x3 - PSN. */
- uint64_t :64, :64; /* Leaf 0x4 - Structured Cache. */
- uint64_t :64, :64; /* Leaf 0x5 - MONITOR. */
- uint64_t :64, :64; /* Leaf 0x6 - Therm/Perf. */
- uint64_t :64, :64; /* Leaf 0x7 - Structured Features. */
- uint64_t :64, :64; /* Leaf 0x8 - rsvd */
- uint64_t :64, :64; /* Leaf 0x9 - DCA */
-
- /* Leaf 0xa - Intel PMU. */
- uint8_t pmu_version, _pmu[15];
-
- uint64_t :64, :64; /* Leaf 0xb - Topology. */
- uint64_t :64, :64; /* Leaf 0xc - rsvd */
- uint64_t :64, :64; /* Leaf 0xd - XSTATE. */
- };
- } basic;
-
- /* Structured cache leaf: 0x00000004[xx] */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_CACHE];
- struct cpuid_cache_leaf {
- uint32_t /* a */ type:5, level:3;
- bool self_init:1, fully_assoc:1;
- uint32_t :4, threads_per_cache:12, cores_per_package:6;
- uint32_t /* b */ line_size:12, partitions:10, ways:10;
- uint32_t /* c */ sets;
- bool /* d */ wbinvd:1, inclusive:1, complex:1;
- } subleaf[CPUID_GUEST_NR_CACHE];
- } cache;
-
- /* Structured feature leaf: 0x00000007[xx] */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_FEAT];
- struct {
- /* Subleaf 0. */
- uint32_t max_subleaf;
- union {
- uint32_t _7b0;
- struct { DECL_BITFIELD(7b0); };
- };
- union {
- uint32_t _7c0;
- struct { DECL_BITFIELD(7c0); };
- };
- union {
- uint32_t _7d0;
- struct { DECL_BITFIELD(7d0); };
- };
-
- /* Subleaf 1. */
- union {
- uint32_t _7a1;
- struct { DECL_BITFIELD(7a1); };
- };
- union {
- uint32_t _7b1;
- struct { DECL_BITFIELD(7b1); };
- };
- uint32_t /* c */:32, /* d */:32;
-
- /* Subleaf 2. */
- uint32_t /* a */:32, /* b */:32, /* c */:32;
- union {
- uint32_t _7d2;
- struct { DECL_BITFIELD(7d2); };
- };
- };
- } feat;
-
- /* Extended topology enumeration: 0x0000000B[xx] */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_TOPO];
- struct cpuid_topo_leaf {
- uint32_t id_shift:5, :27;
- uint16_t nr_logical, :16;
- uint8_t level, type, :8, :8;
- uint32_t x2apic_id;
- } subleaf[CPUID_GUEST_NR_TOPO];
- } topo;
-
- /* Xstate feature leaf: 0x0000000D[xx] */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_XSTATE];
-
- struct {
- /* Subleaf 0. */
- uint32_t xcr0_low, /* b */:32, max_size, xcr0_high;
-
- /* Subleaf 1. */
- union {
- uint32_t Da1;
- struct { DECL_BITFIELD(Da1); };
- };
- uint32_t /* b */:32, xss_low, xss_high;
- };
-
- /* Per-component common state. Valid for i >= 2. */
- struct {
- uint32_t size, offset;
- bool xss:1, align:1;
- uint32_t _res_d;
- } comp[CPUID_GUEST_NR_XSTATE];
- } xstate;
-
- /* Extended leaves: 0x800000xx */
- union {
- struct cpuid_leaf raw[CPUID_GUEST_NR_EXTD];
- struct {
- /* Leaf 0x80000000 - Max and vendor. */
- uint32_t max_leaf, vendor_ebx, vendor_ecx, vendor_edx;
-
- /* Leaf 0x80000001 - Family/model/stepping and features. */
- uint32_t raw_fms, /* b */:32;
- union {
- uint32_t e1c;
- struct { DECL_BITFIELD(e1c); };
- };
- union {
- uint32_t e1d;
- struct { DECL_BITFIELD(e1d); };
- };
-
- uint64_t :64, :64; /* Brand string. */
- uint64_t :64, :64; /* Brand string. */
- uint64_t :64, :64; /* Brand string. */
- uint64_t :64, :64; /* L1 cache/TLB. */
- uint64_t :64, :64; /* L2/3 cache/TLB. */
-
- /* Leaf 0x80000007 - Advanced Power Management. */
- uint32_t /* a */:32, /* b */:32, /* c */:32;
- union {
- uint32_t e7d;
- struct { DECL_BITFIELD(e7d); };
- };
-
- /* Leaf 0x80000008 - Misc addr/feature info. */
- uint8_t maxphysaddr, maxlinaddr, :8, :8;
- union {
- uint32_t e8b;
- struct { DECL_BITFIELD(e8b); };
- };
- uint32_t nc:8, :4, apic_id_size:4, :16;
- uint32_t /* d */:32;
-
- uint64_t :64, :64; /* Leaf 0x80000009. */
- uint64_t :64, :64; /* Leaf 0x8000000a - SVM rev and features. */
- uint64_t :64, :64; /* Leaf 0x8000000b. */
- uint64_t :64, :64; /* Leaf 0x8000000c. */
- uint64_t :64, :64; /* Leaf 0x8000000d. */
- uint64_t :64, :64; /* Leaf 0x8000000e. */
- uint64_t :64, :64; /* Leaf 0x8000000f. */
- uint64_t :64, :64; /* Leaf 0x80000010. */
- uint64_t :64, :64; /* Leaf 0x80000011. */
- uint64_t :64, :64; /* Leaf 0x80000012. */
- uint64_t :64, :64; /* Leaf 0x80000013. */
- uint64_t :64, :64; /* Leaf 0x80000014. */
- uint64_t :64, :64; /* Leaf 0x80000015. */
- uint64_t :64, :64; /* Leaf 0x80000016. */
- uint64_t :64, :64; /* Leaf 0x80000017. */
- uint64_t :64, :64; /* Leaf 0x80000018. */
- uint64_t :64, :64; /* Leaf 0x80000019 - TLB 1GB Identifiers. */
- uint64_t :64, :64; /* Leaf 0x8000001a - Performance related info. */
- uint64_t :64, :64; /* Leaf 0x8000001b - IBS feature information. */
- uint64_t :64, :64; /* Leaf 0x8000001c. */
- uint64_t :64, :64; /* Leaf 0x8000001d - Cache properties. */
- uint64_t :64, :64; /* Leaf 0x8000001e - Extd APIC/Core/Node IDs. */
- uint64_t :64, :64; /* Leaf 0x8000001f - AMD Secure Encryption. */
- uint64_t :64, :64; /* Leaf 0x80000020 - Platform QoS. */
-
- /* Leaf 0x80000021 - Extended Feature 2 */
- union {
- uint32_t e21a;
- struct { DECL_BITFIELD(e21a); };
- };
- uint32_t /* b */:32, /* c */:32, /* d */:32;
- };
- } extd;
-
-#undef __DECL_BITFIELD
-#undef _DECL_BITFIELD
-#undef DECL_BITFIELD
-
- /* Toolstack selected Hypervisor max_leaf (if non-zero). */
- uint8_t hv_limit, hv2_limit;
-
- /* Value calculated from raw data above. */
- uint8_t x86_vendor;
-};
-
-/* Fill in a featureset bitmap from a CPUID policy. */
-static inline void cpuid_policy_to_featureset(
- const struct cpuid_policy *p, uint32_t fs[FEATURESET_NR_ENTRIES])
-{
- fs[FEATURESET_1d] = p->basic._1d;
- fs[FEATURESET_1c] = p->basic._1c;
- fs[FEATURESET_e1d] = p->extd.e1d;
- fs[FEATURESET_e1c] = p->extd.e1c;
- fs[FEATURESET_Da1] = p->xstate.Da1;
- fs[FEATURESET_7b0] = p->feat._7b0;
- fs[FEATURESET_7c0] = p->feat._7c0;
- fs[FEATURESET_e7d] = p->extd.e7d;
- fs[FEATURESET_e8b] = p->extd.e8b;
- fs[FEATURESET_7d0] = p->feat._7d0;
- fs[FEATURESET_7a1] = p->feat._7a1;
- fs[FEATURESET_e21a] = p->extd.e21a;
- fs[FEATURESET_7b1] = p->feat._7b1;
- fs[FEATURESET_7d2] = p->feat._7d2;
-}
-
-/* Fill in a CPUID policy from a featureset bitmap. */
-static inline void cpuid_featureset_to_policy(
- const uint32_t fs[FEATURESET_NR_ENTRIES], struct cpuid_policy *p)
-{
- p->basic._1d = fs[FEATURESET_1d];
- p->basic._1c = fs[FEATURESET_1c];
- p->extd.e1d = fs[FEATURESET_e1d];
- p->extd.e1c = fs[FEATURESET_e1c];
- p->xstate.Da1 = fs[FEATURESET_Da1];
- p->feat._7b0 = fs[FEATURESET_7b0];
- p->feat._7c0 = fs[FEATURESET_7c0];
- p->extd.e7d = fs[FEATURESET_e7d];
- p->extd.e8b = fs[FEATURESET_e8b];
- p->feat._7d0 = fs[FEATURESET_7d0];
- p->feat._7a1 = fs[FEATURESET_7a1];
- p->extd.e21a = fs[FEATURESET_e21a];
- p->feat._7b1 = fs[FEATURESET_7b1];
- p->feat._7d2 = fs[FEATURESET_7d2];
-}
-
-static inline uint64_t cpuid_policy_xcr0_max(const struct cpuid_policy *p)
-{
- return ((uint64_t)p->xstate.xcr0_high << 32) | p->xstate.xcr0_low;
-}
-
-static inline uint64_t cpuid_policy_xstates(const struct cpuid_policy *p)
-{
- uint64_t val = p->xstate.xcr0_high | p->xstate.xss_high;
-
- return (val << 32) | p->xstate.xcr0_low | p->xstate.xss_low;
-}
-
-const uint32_t *x86_cpuid_lookup_deep_deps(uint32_t feature);
-
-/**
- * Recalculate the content in a CPUID policy which is derived from raw data.
- */
-void x86_cpuid_policy_recalc_synth(struct cpuid_policy *p);
-
-/**
- * Fill a CPUID policy using the native CPUID instruction.
- *
- * No sanitisation is performed, but synthesised values are calculated.
- * Values may be influenced by a hypervisor or from masking/faulting
- * configuration.
- */
-void x86_cpuid_policy_fill_native(struct cpuid_policy *p);
-
-/**
- * Clear leaf data beyond the policies max leaf/subleaf settings.
- *
- * Policy serialisation purposefully omits out-of-range leaves, because there
- * are a large number of them due to vendor differences. However, when
- * constructing new policies (e.g. levelling down), it is possible to end up
- * with out-of-range leaves with stale content in them. This helper clears
- * them.
- */
-void x86_cpuid_policy_clear_out_of_range_leaves(struct cpuid_policy *p);
-
-#ifdef __XEN__
-#include <public/arch-x86/xen.h>
-typedef XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_leaf_buffer_t;
-#else
-#include <xen/arch-x86/xen.h>
-typedef xen_cpuid_leaf_t cpuid_leaf_buffer_t[];
-#endif
-
-/**
- * Serialise a cpuid_policy object into an array of cpuid leaves.
- *
- * @param policy The cpuid_policy to serialise.
- * @param leaves The array of leaves to serialise into.
- * @param nr_entries The number of entries in 'leaves'.
- * @returns -errno
- *
- * Writes at most CPUID_MAX_SERIALISED_LEAVES. May fail with -ENOBUFS if the
- * leaves array is too short. On success, nr_entries is updated with the
- * actual number of leaves written.
- */
-int x86_cpuid_copy_to_buffer(const struct cpuid_policy *policy,
- cpuid_leaf_buffer_t leaves, uint32_t *nr_entries);
-
-/**
- * Unserialise a cpuid_policy object from an array of cpuid leaves.
- *
- * @param policy The cpuid_policy to unserialise into.
- * @param leaves The array of leaves to unserialise from.
- * @param nr_entries The number of entries in 'leaves'.
- * @param err_leaf Optional hint for error diagnostics.
- * @param err_subleaf Optional hint for error diagnostics.
- * @returns -errno
- *
- * Reads at most CPUID_MAX_SERIALISED_LEAVES. May return -ERANGE if an
- * incoming leaf is out of range of cpuid_policy, in which case the optional
- * err_* pointers will identify the out-of-range indicies.
- *
- * No content validation of in-range leaves is performed. Synthesised data is
- * recalculated.
- */
-int x86_cpuid_copy_from_buffer(struct cpuid_policy *policy,
- const cpuid_leaf_buffer_t leaves,
- uint32_t nr_entries, uint32_t *err_leaf,
- uint32_t *err_subleaf);
-
-#endif /* !XEN_LIB_X86_CPUID_H */
-
-/*
- * Local variables:
- * mode: C
- * c-file-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/cpu-policy.h xen-4.14.6/xen/include/xen/lib/x86/cpu-policy.h
--- xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/cpu-policy.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/xen/lib/x86/cpu-policy.h 2023-08-07 14:11:14.000000000 +0200
@@ -2,13 +2,375 @@
#ifndef XEN_LIB_X86_POLICIES_H
#define XEN_LIB_X86_POLICIES_H
-#include <xen/lib/x86/cpuid.h>
-#include <xen/lib/x86/msr.h>
+#include <xen/lib/x86/cpuid-autogen.h>
+
+#define FEATURESET_1d 0 /* 0x00000001.edx */
+#define FEATURESET_1c 1 /* 0x00000001.ecx */
+#define FEATURESET_e1d 2 /* 0x80000001.edx */
+#define FEATURESET_e1c 3 /* 0x80000001.ecx */
+#define FEATURESET_Da1 4 /* 0x0000000d:1.eax */
+#define FEATURESET_7b0 5 /* 0x00000007:0.ebx */
+#define FEATURESET_7c0 6 /* 0x00000007:0.ecx */
+#define FEATURESET_e7d 7 /* 0x80000007.edx */
+#define FEATURESET_e8b 8 /* 0x80000008.ebx */
+#define FEATURESET_7d0 9 /* 0x00000007:0.edx */
+#define FEATURESET_7a1 10 /* 0x00000007:1.eax */
+#define FEATURESET_e21a 11 /* 0x80000021.eax */
+#define FEATURESET_7b1 12 /* 0x00000007:1.ebx */
+#define FEATURESET_7d2 13 /* 0x00000007:2.edx */
+#define FEATURESET_7c1 14 /* 0x00000007:1.ecx */
+#define FEATURESET_7d1 15 /* 0x00000007:1.edx */
+#define FEATURESET_m10Al 16 /* 0x0000010a.eax */
+#define FEATURESET_m10Ah 17 /* 0x0000010a.edx */
+
+struct cpuid_leaf
+{
+ uint32_t a, b, c, d;
+};
+
+/*
+ * Versions of GCC before 5 unconditionally reserve %rBX as the PIC hard
+ * register, and are unable to cope with spilling it. This results in a
+ * rather cryptic error:
+ * error: inconsistent operand constraints in an ‘asm’
+ *
+ * In affected situations, work around the issue by using a separate register
+ * to hold the the %rBX output, and xchg twice to leave %rBX preserved around
+ * the asm() statement.
+ */
+#if defined(__PIC__) && __GNUC__ < 5 && !defined(__clang__) && defined(__i386__)
+# define XCHG_BX "xchg %%ebx, %[bx];"
+# define BX_CON [bx] "=&r"
+#elif defined(__PIC__) && __GNUC__ < 5 && !defined(__clang__) && \
+ defined(__x86_64__) && (defined(__code_model_medium__) || \
+ defined(__code_model_large__))
+# define XCHG_BX "xchg %%rbx, %q[bx];"
+# define BX_CON [bx] "=&r"
+#else
+# define XCHG_BX ""
+# define BX_CON "=&b"
+#endif
+
+static inline void cpuid_leaf(uint32_t leaf, struct cpuid_leaf *l)
+{
+ asm ( XCHG_BX
+ "cpuid;"
+ XCHG_BX
+ : "=a" (l->a), BX_CON (l->b), "=&c" (l->c), "=&d" (l->d)
+ : "a" (leaf) );
+}
+
+static inline void cpuid_count_leaf(
+ uint32_t leaf, uint32_t subleaf, struct cpuid_leaf *l)
+{
+ asm ( XCHG_BX
+ "cpuid;"
+ XCHG_BX
+ : "=a" (l->a), BX_CON (l->b), "=c" (l->c), "=&d" (l->d)
+ : "a" (leaf), "c" (subleaf) );
+}
+
+#undef BX_CON
+#undef XCHG
+
+/**
+ * Given the vendor id from CPUID leaf 0, look up Xen's internal integer
+ * vendor ID. Returns X86_VENDOR_UNKNOWN for any unknown vendor.
+ */
+unsigned int x86_cpuid_lookup_vendor(uint32_t ebx, uint32_t ecx, uint32_t edx);
+
+/**
+ * Given Xen's internal vendor ID, return a string suitable for printing.
+ * Returns "Unknown" for any unrecognised ID.
+ */
+const char *x86_cpuid_vendor_to_str(unsigned int vendor);
+
+#define CPUID_GUEST_NR_BASIC (0xdu + 1)
+#define CPUID_GUEST_NR_CACHE (5u + 1)
+#define CPUID_GUEST_NR_FEAT (2u + 1)
+#define CPUID_GUEST_NR_TOPO (1u + 1)
+#define CPUID_GUEST_NR_XSTATE (62u + 1)
+#define CPUID_GUEST_NR_EXTD_INTEL (0x8u + 1)
+#define CPUID_GUEST_NR_EXTD_AMD (0x21u + 1)
+#define CPUID_GUEST_NR_EXTD MAX(CPUID_GUEST_NR_EXTD_INTEL, \
+ CPUID_GUEST_NR_EXTD_AMD)
+
+/*
+ * Maximum number of leaves a struct cpu_policy turns into when serialised for
+ * interaction with the toolstack. (Sum of all leaves in each union, less the
+ * entries in basic which sub-unions hang off of.)
+ */
+#define CPUID_MAX_SERIALISED_LEAVES \
+ (CPUID_GUEST_NR_BASIC + \
+ CPUID_GUEST_NR_FEAT - !!CPUID_GUEST_NR_FEAT + \
+ CPUID_GUEST_NR_CACHE - !!CPUID_GUEST_NR_CACHE + \
+ CPUID_GUEST_NR_TOPO - !!CPUID_GUEST_NR_TOPO + \
+ CPUID_GUEST_NR_XSTATE - !!CPUID_GUEST_NR_XSTATE + \
+ CPUID_GUEST_NR_EXTD + 2 /* hv_limit and hv2_limit */ )
+
+/* Maximum number of MSRs written when serialising a cpu_policy. */
+#define MSR_MAX_SERIALISED_ENTRIES 2
struct cpu_policy
{
- struct cpuid_policy *cpuid;
- struct msr_policy *msr;
+#define DECL_BITFIELD(word) _DECL_BITFIELD(FEATURESET_ ## word)
+#define _DECL_BITFIELD(x) __DECL_BITFIELD(x)
+#define __DECL_BITFIELD(x) CPUID_BITFIELD_ ## x
+
+ /* Basic leaves: 0x000000xx */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_BASIC];
+ struct {
+ /* Leaf 0x0 - Max and vendor. */
+ uint32_t max_leaf, vendor_ebx, vendor_ecx, vendor_edx;
+
+ /* Leaf 0x1 - Family/model/stepping and features. */
+ uint32_t raw_fms;
+ uint8_t :8, /* Brand ID. */
+ clflush_size, /* Number of 8-byte blocks per cache line. */
+ lppp, /* Logical processors per package. */
+ apic_id; /* Initial APIC ID. */
+ union {
+ uint32_t _1c;
+ struct { DECL_BITFIELD(1c); };
+ };
+ union {
+ uint32_t _1d;
+ struct { DECL_BITFIELD(1d); };
+ };
+
+ /* Leaf 0x2 - TLB/Cache/Prefetch. */
+ uint8_t l2_nr_queries; /* Documented as fixed to 1. */
+ uint8_t l2_desc[15];
+
+ uint64_t :64, :64; /* Leaf 0x3 - PSN. */
+ uint64_t :64, :64; /* Leaf 0x4 - Structured Cache. */
+ uint64_t :64, :64; /* Leaf 0x5 - MONITOR. */
+ uint64_t :64, :64; /* Leaf 0x6 - Therm/Perf. */
+ uint64_t :64, :64; /* Leaf 0x7 - Structured Features. */
+ uint64_t :64, :64; /* Leaf 0x8 - rsvd */
+ uint64_t :64, :64; /* Leaf 0x9 - DCA */
+
+ /* Leaf 0xa - Intel PMU. */
+ uint8_t pmu_version, _pmu[15];
+
+ uint64_t :64, :64; /* Leaf 0xb - Topology. */
+ uint64_t :64, :64; /* Leaf 0xc - rsvd */
+ uint64_t :64, :64; /* Leaf 0xd - XSTATE. */
+ };
+ } basic;
+
+ /* Structured cache leaf: 0x00000004[xx] */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_CACHE];
+ struct cpuid_cache_leaf {
+ uint32_t /* a */ type:5, level:3;
+ bool self_init:1, fully_assoc:1;
+ uint32_t :4, threads_per_cache:12, cores_per_package:6;
+ uint32_t /* b */ line_size:12, partitions:10, ways:10;
+ uint32_t /* c */ sets;
+ bool /* d */ wbinvd:1, inclusive:1, complex:1;
+ } subleaf[CPUID_GUEST_NR_CACHE];
+ } cache;
+
+ /* Structured feature leaf: 0x00000007[xx] */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_FEAT];
+ struct {
+ /* Subleaf 0. */
+ uint32_t max_subleaf;
+ union {
+ uint32_t _7b0;
+ struct { DECL_BITFIELD(7b0); };
+ };
+ union {
+ uint32_t _7c0;
+ struct { DECL_BITFIELD(7c0); };
+ };
+ union {
+ uint32_t _7d0;
+ struct { DECL_BITFIELD(7d0); };
+ };
+
+ /* Subleaf 1. */
+ union {
+ uint32_t _7a1;
+ struct { DECL_BITFIELD(7a1); };
+ };
+ union {
+ uint32_t _7b1;
+ struct { DECL_BITFIELD(7b1); };
+ };
+ union {
+ uint32_t _7c1;
+ struct { DECL_BITFIELD(7c1); };
+ };
+ union {
+ uint32_t _7d1;
+ struct { DECL_BITFIELD(7d1); };
+ };
+
+ /* Subleaf 2. */
+ uint32_t /* a */:32, /* b */:32, /* c */:32;
+ union {
+ uint32_t _7d2;
+ struct { DECL_BITFIELD(7d2); };
+ };
+ };
+ } feat;
+
+ /* Extended topology enumeration: 0x0000000B[xx] */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_TOPO];
+ struct cpuid_topo_leaf {
+ uint32_t id_shift:5, :27;
+ uint16_t nr_logical, :16;
+ uint8_t level, type, :8, :8;
+ uint32_t x2apic_id;
+ } subleaf[CPUID_GUEST_NR_TOPO];
+ } topo;
+
+ /* Xstate feature leaf: 0x0000000D[xx] */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_XSTATE];
+
+ struct {
+ /* Subleaf 0. */
+ uint32_t xcr0_low, /* b */:32, max_size, xcr0_high;
+
+ /* Subleaf 1. */
+ union {
+ uint32_t Da1;
+ struct { DECL_BITFIELD(Da1); };
+ };
+ uint32_t /* b */:32, xss_low, xss_high;
+ };
+
+ /* Per-component common state. Valid for i >= 2. */
+ struct {
+ uint32_t size, offset;
+ bool xss:1, align:1;
+ uint32_t _res_d;
+ } comp[CPUID_GUEST_NR_XSTATE];
+ } xstate;
+
+ /* Extended leaves: 0x800000xx */
+ union {
+ struct cpuid_leaf raw[CPUID_GUEST_NR_EXTD];
+ struct {
+ /* Leaf 0x80000000 - Max and vendor. */
+ uint32_t max_leaf, vendor_ebx, vendor_ecx, vendor_edx;
+
+ /* Leaf 0x80000001 - Family/model/stepping and features. */
+ uint32_t raw_fms, /* b */:32;
+ union {
+ uint32_t e1c;
+ struct { DECL_BITFIELD(e1c); };
+ };
+ union {
+ uint32_t e1d;
+ struct { DECL_BITFIELD(e1d); };
+ };
+
+ uint64_t :64, :64; /* Brand string. */
+ uint64_t :64, :64; /* Brand string. */
+ uint64_t :64, :64; /* Brand string. */
+ uint64_t :64, :64; /* L1 cache/TLB. */
+ uint64_t :64, :64; /* L2/3 cache/TLB. */
+
+ /* Leaf 0x80000007 - Advanced Power Management. */
+ uint32_t /* a */:32, /* b */:32, /* c */:32;
+ union {
+ uint32_t e7d;
+ struct { DECL_BITFIELD(e7d); };
+ };
+
+ /* Leaf 0x80000008 - Misc addr/feature info. */
+ uint8_t maxphysaddr, maxlinaddr, :8, :8;
+ union {
+ uint32_t e8b;
+ struct { DECL_BITFIELD(e8b); };
+ };
+ uint32_t nc:8, :4, apic_id_size:4, :16;
+ uint32_t /* d */:32;
+
+ uint64_t :64, :64; /* Leaf 0x80000009. */
+ uint64_t :64, :64; /* Leaf 0x8000000a - SVM rev and features. */
+ uint64_t :64, :64; /* Leaf 0x8000000b. */
+ uint64_t :64, :64; /* Leaf 0x8000000c. */
+ uint64_t :64, :64; /* Leaf 0x8000000d. */
+ uint64_t :64, :64; /* Leaf 0x8000000e. */
+ uint64_t :64, :64; /* Leaf 0x8000000f. */
+ uint64_t :64, :64; /* Leaf 0x80000010. */
+ uint64_t :64, :64; /* Leaf 0x80000011. */
+ uint64_t :64, :64; /* Leaf 0x80000012. */
+ uint64_t :64, :64; /* Leaf 0x80000013. */
+ uint64_t :64, :64; /* Leaf 0x80000014. */
+ uint64_t :64, :64; /* Leaf 0x80000015. */
+ uint64_t :64, :64; /* Leaf 0x80000016. */
+ uint64_t :64, :64; /* Leaf 0x80000017. */
+ uint64_t :64, :64; /* Leaf 0x80000018. */
+ uint64_t :64, :64; /* Leaf 0x80000019 - TLB 1GB Identifiers. */
+ uint64_t :64, :64; /* Leaf 0x8000001a - Performance related info. */
+ uint64_t :64, :64; /* Leaf 0x8000001b - IBS feature information. */
+ uint64_t :64, :64; /* Leaf 0x8000001c. */
+ uint64_t :64, :64; /* Leaf 0x8000001d - Cache properties. */
+ uint64_t :64, :64; /* Leaf 0x8000001e - Extd APIC/Core/Node IDs. */
+ uint64_t :64, :64; /* Leaf 0x8000001f - AMD Secure Encryption. */
+ uint64_t :64, :64; /* Leaf 0x80000020 - Platform QoS. */
+
+ /* Leaf 0x80000021 - Extended Feature 2 */
+ union {
+ uint32_t e21a;
+ struct { DECL_BITFIELD(e21a); };
+ };
+ uint32_t /* b */:32, /* c */:32, /* d */:32;
+ };
+ } extd;
+
+ /*
+ * 0x000000ce - MSR_INTEL_PLATFORM_INFO
+ *
+ * This MSR is non-architectural, but for simplicy we allow it to be read
+ * unconditionally. CPUID Faulting support can be fully emulated for HVM
+ * guests so can be offered unconditionally, while support for PV guests
+ * is dependent on real hardware support.
+ */
+ union {
+ uint32_t raw;
+ struct {
+ uint32_t :31;
+ bool cpuid_faulting:1;
+ };
+ } platform_info;
+
+ /*
+ * 0x0000010a - MSR_ARCH_CAPABILITIES
+ *
+ * This is an Intel-only MSR, which provides miscellaneous enumeration,
+ * including those which indicate that microarchitectrual sidechannels are
+ * fixed in hardware.
+ */
+ union {
+ uint64_t raw;
+ struct {
+ uint32_t lo, hi;
+ };
+ struct {
+ DECL_BITFIELD(m10Al);
+ DECL_BITFIELD(m10Ah);
+ };
+ } arch_caps;
+
+#undef __DECL_BITFIELD
+#undef _DECL_BITFIELD
+#undef DECL_BITFIELD
+
+ /* Toolstack selected Hypervisor max_leaf (if non-zero). */
+ uint8_t hv_limit, hv2_limit;
+
+ /* Value calculated from raw data above. */
+ uint8_t x86_vendor;
};
struct cpu_policy_errors
@@ -19,7 +381,148 @@
#define INIT_CPU_POLICY_ERRORS { -1, -1, -1 }
-/*
+/**
+ * Copy the featureset words out of a cpu_policy object.
+ */
+void x86_cpu_policy_to_featureset(const struct cpu_policy *p,
+ uint32_t fs[FEATURESET_NR_ENTRIES]);
+
+/**
+ * Copy the featureset words back into a cpu_policy object.
+ */
+void x86_cpu_featureset_to_policy(const uint32_t fs[FEATURESET_NR_ENTRIES],
+ struct cpu_policy *p);
+
+static inline uint64_t cpu_policy_xcr0_max(const struct cpu_policy *p)
+{
+ return ((uint64_t)p->xstate.xcr0_high << 32) | p->xstate.xcr0_low;
+}
+
+static inline uint64_t cpu_policy_xstates(const struct cpu_policy *p)
+{
+ uint64_t val = p->xstate.xcr0_high | p->xstate.xss_high;
+
+ return (val << 32) | p->xstate.xcr0_low | p->xstate.xss_low;
+}
+
+/**
+ * For a specific feature, look up the dependent features. Returns NULL if
+ * this feature has no dependencies. Otherwise return a featureset of
+ * dependent features, which has been recursively flattened.
+ */
+const uint32_t *x86_cpu_policy_lookup_deep_deps(uint32_t feature);
+
+/**
+ * Recalculate the content in a CPU policy which is derived from raw data.
+ */
+void x86_cpu_policy_recalc_synth(struct cpu_policy *p);
+
+/**
+ * Fill CPU policy using the native CPUID/RDMSR instruction.
+ *
+ * No sanitisation is performed, but synthesised values are calculated.
+ * Values may be influenced by a hypervisor or from masking/faulting
+ * configuration.
+ */
+void x86_cpu_policy_fill_native(struct cpu_policy *p);
+
+/**
+ * Clear leaf data beyond the policies max leaf/subleaf settings.
+ *
+ * Policy serialisation purposefully omits out-of-range leaves, because there
+ * are a large number of them due to vendor differences. However, when
+ * constructing new policies (e.g. levelling down), it is possible to end up
+ * with out-of-range leaves with stale content in them. This helper clears
+ * them.
+ */
+void x86_cpu_policy_clear_out_of_range_leaves(struct cpu_policy *p);
+
+#ifdef __XEN__
+#include <public/arch-x86/xen.h>
+typedef XEN_GUEST_HANDLE_64(xen_cpuid_leaf_t) cpuid_leaf_buffer_t;
+typedef XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_entry_buffer_t;
+#else
+#include <xen/arch-x86/xen.h>
+typedef xen_cpuid_leaf_t cpuid_leaf_buffer_t[];
+typedef xen_msr_entry_t msr_entry_buffer_t[];
+#endif
+
+/**
+ * Serialise the CPUID leaves of a cpu_policy object into an array of cpuid
+ * leaves.
+ *
+ * @param policy The cpu_policy to serialise.
+ * @param leaves The array of leaves to serialise into.
+ * @param nr_entries The number of entries in 'leaves'.
+ * @returns -errno
+ *
+ * Writes at most CPUID_MAX_SERIALISED_LEAVES. May fail with -ENOBUFS if the
+ * leaves array is too short. On success, nr_entries is updated with the
+ * actual number of leaves written.
+ */
+int x86_cpuid_copy_to_buffer(const struct cpu_policy *policy,
+ cpuid_leaf_buffer_t leaves, uint32_t *nr_entries);
+
+/**
+ * Unserialise the CPUID leaves of a cpu_policy object into an array of cpuid
+ * leaves.
+ *
+ * @param policy The cpu_policy to unserialise into.
+ * @param leaves The array of leaves to unserialise from.
+ * @param nr_entries The number of entries in 'leaves'.
+ * @param err_leaf Optional hint for error diagnostics.
+ * @param err_subleaf Optional hint for error diagnostics.
+ * @returns -errno
+ *
+ * Reads at most CPUID_MAX_SERIALISED_LEAVES. May return -ERANGE if an
+ * incoming leaf is out of range of cpu_policy, in which case the optional
+ * err_* pointers will identify the out-of-range indicies.
+ *
+ * No content validation of in-range leaves is performed. Synthesised data is
+ * recalculated.
+ */
+int x86_cpuid_copy_from_buffer(struct cpu_policy *policy,
+ const cpuid_leaf_buffer_t leaves,
+ uint32_t nr_entries, uint32_t *err_leaf,
+ uint32_t *err_subleaf);
+
+/**
+ * Serialise the MSRs of a cpu_policy object into an array.
+ *
+ * @param policy The cpu_policy to serialise.
+ * @param msrs The array of msrs to serialise into.
+ * @param nr_entries The number of entries in 'msrs'.
+ * @returns -errno
+ *
+ * Writes at most MSR_MAX_SERIALISED_ENTRIES. May fail with -ENOBUFS if the
+ * buffer array is too short. On success, nr_entries is updated with the
+ * actual number of msrs written.
+ */
+int x86_msr_copy_to_buffer(const struct cpu_policy *policy,
+ msr_entry_buffer_t msrs, uint32_t *nr_entries);
+
+/**
+ * Unserialise the MSRs of a cpu_policy object from an array of msrs.
+ *
+ * @param policy The cpu_policy object to unserialise into.
+ * @param msrs The array of msrs to unserialise from.
+ * @param nr_entries The number of entries in 'msrs'.
+ * @param err_msr Optional hint for error diagnostics.
+ * @returns -errno
+ *
+ * Reads at most MSR_MAX_SERIALISED_ENTRIES. May fail for a number of reasons
+ * based on the content in an individual 'msrs' entry, including the MSR index
+ * not being valid in the policy, the flags field being nonzero, or if the
+ * value provided would truncate when stored in the policy. In such cases,
+ * the optional err_* pointer will identify the problematic MSR.
+ *
+ * No content validation is performed on the data stored in the policy object.
+ */
+int x86_msr_copy_from_buffer(struct cpu_policy *policy,
+ const msr_entry_buffer_t msrs, uint32_t nr_entries,
+ uint32_t *err_msr);
+
+/**
* Calculate whether two policies are compatible.
*
* i.e. Can a VM configured with @guest run on a CPU supporting @host.
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/msr.h xen-4.14.6/xen/include/xen/lib/x86/msr.h
--- xen-4.14.5+94-ge49571868d/xen/include/xen/lib/x86/msr.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/xen/lib/x86/msr.h 1970-01-01 01:00:00.000000000 +0100
@@ -1,104 +0,0 @@
-/* Common data structures and functions consumed by hypervisor and toolstack */
-#ifndef XEN_LIB_X86_MSR_H
-#define XEN_LIB_X86_MSR_H
-
-/* Maximum number of MSRs written when serialising msr_policy. */
-#define MSR_MAX_SERIALISED_ENTRIES 2
-
-/* MSR policy object for shared per-domain MSRs */
-struct msr_policy
-{
- /*
- * 0x000000ce - MSR_INTEL_PLATFORM_INFO
- *
- * This MSR is non-architectural, but for simplicy we allow it to be read
- * unconditionally. CPUID Faulting support can be fully emulated for HVM
- * guests so can be offered unconditionally, while support for PV guests
- * is dependent on real hardware support.
- */
- union {
- uint32_t raw;
- struct {
- uint32_t :31;
- bool cpuid_faulting:1;
- };
- } platform_info;
-
- /*
- * 0x0000010a - MSR_ARCH_CAPABILITIES
- *
- * This is an Intel-only MSR, which provides miscellaneous enumeration,
- * including those which indicate that microarchitectrual sidechannels are
- * fixed in hardware.
- */
- union {
- uint32_t raw;
- struct {
- bool rdcl_no:1;
- bool ibrs_all:1;
- bool rsba:1;
- bool skip_l1dfl:1;
- bool ssb_no:1;
- bool mds_no:1;
- bool if_pschange_mc_no:1;
- bool tsx_ctrl:1;
- bool taa_no:1;
- };
- } arch_caps;
-};
-
-#ifdef __XEN__
-#include <public/arch-x86/xen.h>
-typedef XEN_GUEST_HANDLE_64(xen_msr_entry_t) msr_entry_buffer_t;
-#else
-#include <xen/arch-x86/xen.h>
-typedef xen_msr_entry_t msr_entry_buffer_t[];
-#endif
-
-/**
- * Serialise an msr_policy object into an array.
- *
- * @param policy The msr_policy to serialise.
- * @param msrs The array of msrs to serialise into.
- * @param nr_entries The number of entries in 'msrs'.
- * @returns -errno
- *
- * Writes at most MSR_MAX_SERIALISED_ENTRIES. May fail with -ENOBUFS if the
- * buffer array is too short. On success, nr_entries is updated with the
- * actual number of msrs written.
- */
-int x86_msr_copy_to_buffer(const struct msr_policy *policy,
- msr_entry_buffer_t msrs, uint32_t *nr_entries);
-
-/**
- * Unserialise an msr_policy object from an array of msrs.
- *
- * @param policy The msr_policy object to unserialise into.
- * @param msrs The array of msrs to unserialise from.
- * @param nr_entries The number of entries in 'msrs'.
- * @param err_msr Optional hint for error diagnostics.
- * @returns -errno
- *
- * Reads at most MSR_MAX_SERIALISED_ENTRIES. May fail for a number of reasons
- * based on the content in an individual 'msrs' entry, including the MSR index
- * not being valid in the policy, the flags field being nonzero, or if the
- * value provided would truncate when stored in the policy. In such cases,
- * the optional err_* pointer will identify the problematic MSR.
- *
- * No content validation is performed on the data stored in the policy object.
- */
-int x86_msr_copy_from_buffer(struct msr_policy *policy,
- const msr_entry_buffer_t msrs, uint32_t nr_entries,
- uint32_t *err_msr);
-
-#endif /* !XEN_LIB_X86_MSR_H */
-
-/*
- * Local variables:
- * mode: C
- * c-file-style: "BSD"
- * c-basic-offset: 4
- * tab-width: 4
- * indent-tabs-mode: nil
- * End:
- */
diff -Nru xen-4.14.5+94-ge49571868d/xen/include/xen/lib.h xen-4.14.6/xen/include/xen/lib.h
--- xen-4.14.5+94-ge49571868d/xen/include/xen/lib.h 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/include/xen/lib.h 2023-08-07 14:11:14.000000000 +0200
@@ -183,6 +183,7 @@
#define TAINT_MACHINE_CHECK (1u << 1)
#define TAINT_ERROR_INJECT (1u << 2)
#define TAINT_HVM_FEP (1u << 3)
+#define TAINT_CPU_OUT_OF_SPEC (1u << 5)
extern unsigned int tainted;
#define TAINT_STRING_MAX_LEN 20
extern char *print_tainted(char *str);
diff -Nru xen-4.14.5+94-ge49571868d/xen/lib/x86/cpuid.c xen-4.14.6/xen/lib/x86/cpuid.c
--- xen-4.14.5+94-ge49571868d/xen/lib/x86/cpuid.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/lib/x86/cpuid.c 2023-08-07 14:11:14.000000000 +0200
@@ -1,6 +1,6 @@
#include "private.h"
-#include <xen/lib/x86/cpuid.h>
+#include <xen/lib/x86/cpu-policy.h>
static void zero_leaves(struct cpuid_leaf *l,
unsigned int first, unsigned int last)
@@ -60,13 +60,59 @@
}
}
-void x86_cpuid_policy_recalc_synth(struct cpuid_policy *p)
+void x86_cpu_policy_to_featureset(
+ const struct cpu_policy *p, uint32_t fs[FEATURESET_NR_ENTRIES])
+{
+ fs[FEATURESET_1d] = p->basic._1d;
+ fs[FEATURESET_1c] = p->basic._1c;
+ fs[FEATURESET_e1d] = p->extd.e1d;
+ fs[FEATURESET_e1c] = p->extd.e1c;
+ fs[FEATURESET_Da1] = p->xstate.Da1;
+ fs[FEATURESET_7b0] = p->feat._7b0;
+ fs[FEATURESET_7c0] = p->feat._7c0;
+ fs[FEATURESET_e7d] = p->extd.e7d;
+ fs[FEATURESET_e8b] = p->extd.e8b;
+ fs[FEATURESET_7d0] = p->feat._7d0;
+ fs[FEATURESET_7a1] = p->feat._7a1;
+ fs[FEATURESET_e21a] = p->extd.e21a;
+ fs[FEATURESET_7b1] = p->feat._7b1;
+ fs[FEATURESET_7d2] = p->feat._7d2;
+ fs[FEATURESET_7c1] = p->feat._7c1;
+ fs[FEATURESET_7d1] = p->feat._7d1;
+ fs[FEATURESET_m10Al] = p->arch_caps.lo;
+ fs[FEATURESET_m10Ah] = p->arch_caps.hi;
+}
+
+void x86_cpu_featureset_to_policy(
+ const uint32_t fs[FEATURESET_NR_ENTRIES], struct cpu_policy *p)
+{
+ p->basic._1d = fs[FEATURESET_1d];
+ p->basic._1c = fs[FEATURESET_1c];
+ p->extd.e1d = fs[FEATURESET_e1d];
+ p->extd.e1c = fs[FEATURESET_e1c];
+ p->xstate.Da1 = fs[FEATURESET_Da1];
+ p->feat._7b0 = fs[FEATURESET_7b0];
+ p->feat._7c0 = fs[FEATURESET_7c0];
+ p->extd.e7d = fs[FEATURESET_e7d];
+ p->extd.e8b = fs[FEATURESET_e8b];
+ p->feat._7d0 = fs[FEATURESET_7d0];
+ p->feat._7a1 = fs[FEATURESET_7a1];
+ p->extd.e21a = fs[FEATURESET_e21a];
+ p->feat._7b1 = fs[FEATURESET_7b1];
+ p->feat._7d2 = fs[FEATURESET_7d2];
+ p->feat._7c1 = fs[FEATURESET_7c1];
+ p->feat._7d1 = fs[FEATURESET_7d1];
+ p->arch_caps.lo = fs[FEATURESET_m10Al];
+ p->arch_caps.hi = fs[FEATURESET_m10Ah];
+}
+
+void x86_cpu_policy_recalc_synth(struct cpu_policy *p)
{
p->x86_vendor = x86_cpuid_lookup_vendor(
p->basic.vendor_ebx, p->basic.vendor_ecx, p->basic.vendor_edx);
}
-void x86_cpuid_policy_fill_native(struct cpuid_policy *p)
+void x86_cpu_policy_fill_native(struct cpu_policy *p)
{
unsigned int i;
@@ -157,7 +203,7 @@
cpuid_count_leaf(0xd, 0, &p->xstate.raw[0]);
cpuid_count_leaf(0xd, 1, &p->xstate.raw[1]);
- xstates = cpuid_policy_xstates(p);
+ xstates = cpu_policy_xstates(p);
/* This logic will probably need adjusting when XCR0[63] gets used. */
BUILD_BUG_ON(ARRAY_SIZE(p->xstate.raw) > 63);
@@ -180,10 +226,17 @@
p->hv_limit = 0;
p->hv2_limit = 0;
- x86_cpuid_policy_recalc_synth(p);
+#ifdef __XEN__
+ /* TODO MSR_PLATFORM_INFO */
+
+ if ( p->feat.arch_caps )
+ rdmsrl(MSR_ARCH_CAPABILITIES, p->arch_caps.raw);
+#endif
+
+ x86_cpu_policy_recalc_synth(p);
}
-void x86_cpuid_policy_clear_out_of_range_leaves(struct cpuid_policy *p)
+void x86_cpu_policy_clear_out_of_range_leaves(struct cpu_policy *p)
{
unsigned int i;
@@ -218,7 +271,7 @@
zero_leaves(p->topo.raw, i, ARRAY_SIZE(p->topo.raw) - 1);
}
- if ( p->basic.max_leaf < 0xd || !cpuid_policy_xstates(p) )
+ if ( p->basic.max_leaf < 0xd || !cpu_policy_xstates(p) )
memset(p->xstate.raw, 0, sizeof(p->xstate.raw));
else
{
@@ -226,7 +279,7 @@
BUILD_BUG_ON(ARRAY_SIZE(p->xstate.raw) > 63);
/* First two leaves always valid. Rest depend on xstates. */
- i = max(2, 64 - __builtin_clzll(cpuid_policy_xstates(p)));
+ i = max(2, 64 - __builtin_clzll(cpu_policy_xstates(p)));
zero_leaves(p->xstate.raw, i,
ARRAY_SIZE(p->xstate.raw) - 1);
@@ -236,7 +289,7 @@
ARRAY_SIZE(p->extd.raw) - 1);
}
-const uint32_t *x86_cpuid_lookup_deep_deps(uint32_t feature)
+const uint32_t *x86_cpu_policy_lookup_deep_deps(uint32_t feature)
{
static const uint32_t deep_features[] = INIT_DEEP_FEATURES;
static const struct {
@@ -291,7 +344,7 @@
return 0;
}
-int x86_cpuid_copy_to_buffer(const struct cpuid_policy *p,
+int x86_cpuid_copy_to_buffer(const struct cpu_policy *p,
cpuid_leaf_buffer_t leaves, uint32_t *nr_entries_p)
{
const uint32_t nr_entries = *nr_entries_p;
@@ -341,7 +394,7 @@
case 0xd:
{
- uint64_t xstates = cpuid_policy_xstates(p);
+ uint64_t xstates = cpu_policy_xstates(p);
COPY_LEAF(leaf, 0, &p->xstate.raw[0]);
COPY_LEAF(leaf, 1, &p->xstate.raw[1]);
@@ -377,7 +430,7 @@
return 0;
}
-int x86_cpuid_copy_from_buffer(struct cpuid_policy *p,
+int x86_cpuid_copy_from_buffer(struct cpu_policy *p,
const cpuid_leaf_buffer_t leaves,
uint32_t nr_entries, uint32_t *err_leaf,
uint32_t *err_subleaf)
@@ -480,7 +533,7 @@
}
}
- x86_cpuid_policy_recalc_synth(p);
+ x86_cpu_policy_recalc_synth(p);
return 0;
diff -Nru xen-4.14.5+94-ge49571868d/xen/lib/x86/msr.c xen-4.14.6/xen/lib/x86/msr.c
--- xen-4.14.5+94-ge49571868d/xen/lib/x86/msr.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/lib/x86/msr.c 2023-08-07 14:11:14.000000000 +0200
@@ -1,6 +1,6 @@
#include "private.h"
-#include <xen/lib/x86/msr.h>
+#include <xen/lib/x86/cpu-policy.h>
/*
* Copy a single MSR into the provided msr_entry_buffer_t buffer, performing a
@@ -23,7 +23,7 @@
return 0;
}
-int x86_msr_copy_to_buffer(const struct msr_policy *p,
+int x86_msr_copy_to_buffer(const struct cpu_policy *p,
msr_entry_buffer_t msrs, uint32_t *nr_entries_p)
{
const uint32_t nr_entries = *nr_entries_p;
@@ -48,7 +48,7 @@
return 0;
}
-int x86_msr_copy_from_buffer(struct msr_policy *p,
+int x86_msr_copy_from_buffer(struct cpu_policy *p,
const msr_entry_buffer_t msrs, uint32_t nr_entries,
uint32_t *err_msr)
{
diff -Nru xen-4.14.5+94-ge49571868d/xen/lib/x86/policy.c xen-4.14.6/xen/lib/x86/policy.c
--- xen-4.14.5+94-ge49571868d/xen/lib/x86/policy.c 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/lib/x86/policy.c 2023-08-07 14:11:14.000000000 +0200
@@ -15,15 +15,15 @@
#define FAIL_MSR(m) \
do { e.msr = (m); goto out; } while ( 0 )
- if ( guest->cpuid->basic.max_leaf > host->cpuid->basic.max_leaf )
+ if ( guest->basic.max_leaf > host->basic.max_leaf )
FAIL_CPUID(0, NA);
- if ( guest->cpuid->extd.max_leaf > host->cpuid->extd.max_leaf )
+ if ( guest->extd.max_leaf > host->extd.max_leaf )
FAIL_CPUID(0x80000000, NA);
/* TODO: Audit more CPUID data. */
- if ( ~host->msr->platform_info.raw & guest->msr->platform_info.raw )
+ if ( ~host->platform_info.raw & guest->platform_info.raw )
FAIL_MSR(MSR_INTEL_PLATFORM_INFO);
#undef FAIL_MSR
diff -Nru xen-4.14.5+94-ge49571868d/xen/Makefile xen-4.14.6/xen/Makefile
--- xen-4.14.5+94-ge49571868d/xen/Makefile 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/Makefile 2023-08-07 14:11:14.000000000 +0200
@@ -2,7 +2,7 @@
# All other places this is stored (eg. compile.h) should be autogenerated.
export XEN_VERSION = 4
export XEN_SUBVERSION = 14
-export XEN_EXTRAVERSION ?= .5$(XEN_VENDORVERSION)
+export XEN_EXTRAVERSION ?= .6$(XEN_VENDORVERSION)
export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION)
-include xen-version
diff -Nru xen-4.14.5+94-ge49571868d/xen/tools/gen-cpuid.py xen-4.14.6/xen/tools/gen-cpuid.py
--- xen-4.14.5+94-ge49571868d/xen/tools/gen-cpuid.py 2023-03-21 13:07:44.000000000 +0100
+++ xen-4.14.6/xen/tools/gen-cpuid.py 2023-08-07 14:11:14.000000000 +0200
@@ -50,13 +50,37 @@
"\s+([\s\d]+\*[\s\d]+\+[\s\d]+)\)"
"\s+/\*([\w!]*) .*$")
+ word_regex = re.compile(
+ r"^/\* .* word (\d*) \*/$")
+ last_word = -1
+
this = sys.modules[__name__]
for l in state.input.readlines():
- # Short circuit the regex...
- if not l.startswith("XEN_CPUFEATURE("):
+
+ # Short circuit the regexes...
+ if not (l.startswith("XEN_CPUFEATURE(") or
+ l.startswith("/* ")):
continue
+ # Handle /* ... word $N */ lines
+ if l.startswith("/* "):
+
+ res = word_regex.match(l)
+ if res is None:
+ continue # Some other comment
+
+ word = int(res.groups()[0])
+
+ if word != last_word + 1:
+ raise Fail("Featureset word %u out of order (last word %u)"
+ % (word, last_word))
+
+ last_word = word
+ state.nr_entries = word + 1
+ continue
+
+ # Handle XEN_CPUFEATURE( lines
res = feat_regex.match(l)
if res is None:
@@ -94,6 +118,15 @@
if len(state.names) == 0:
raise Fail("No features found")
+ if state.nr_entries == 0:
+ raise Fail("No featureset word info found")
+
+ max_val = max(state.names.keys())
+ if (max_val >> 5) >= state.nr_entries:
+ max_name = state.names[max_val]
+ raise Fail("Feature %s (%d*32+%d) exceeds FEATURESET_NR_ENTRIES (%d)"
+ % (max_name, max_val >> 5, max_val & 31, state.nr_entries))
+
def featureset_to_uint32s(fs, nr):
""" Represent a featureset as a list of C-compatible uint32_t's """
@@ -122,9 +155,6 @@
def crunch_numbers(state):
- # Size of bitmaps
- state.nr_entries = nr_entries = (max(state.names.keys()) >> 5) + 1
-
# Features common between 1d and e1d.
common_1d = (FPU, VME, DE, PSE, TSC, MSR, PAE, MCE, CX8, APIC,
MTRR, PGE, MCA, CMOV, PAT, PSE36, MMX, FXSR)
@@ -285,13 +315,20 @@
# IBRSB/IBRS, and we pass this MSR directly to guests. Treating them
# as dependent features simplifies Xen's logic, and prevents the guest
# from seeing implausible configurations.
- IBRSB: [STIBP, SSBD, INTEL_PSFD],
+ IBRSB: [STIBP, SSBD, INTEL_PSFD, EIBRS],
IBRS: [AMD_STIBP, AMD_SSBD, PSFD,
IBRS_ALWAYS, IBRS_FAST, IBRS_SAME_MODE],
+ IBPB: [IBPB_RET, SBPB, IBPB_BRTYPE],
AMD_STIBP: [STIBP_ALWAYS],
# In principle the TSXLDTRK insns could also be considered independent.
RTM: [TSXLDTRK],
+
+ # The ARCH_CAPS CPUID bit enumerates the availability of the whole register.
+ ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)),
+
+ # The behaviour described by RRSBA depend on eIBRS being active.
+ EIBRS: [RRSBA],
}
deep_features = tuple(sorted(deps.keys()))
@@ -325,7 +362,7 @@
state.nr_deep_deps = len(state.deep_deps.keys())
# Calculate the bitfield name declarations
- for word in range(nr_entries):
+ for word in range(state.nr_entries):
names = []
for bit in range(32):
More information about the Pkg-xen-devel
mailing list